Duane wrote: > Ram0502 wrote: > > > That's an interesting suggestion, it provides the same kind of > > authentication for HTTPS as the above does for secure email. If the > > session is initiated by the CA this proves the ability to control the > > host at the specified location. I wouldn't give them my CC# but it does > > create a relationship. I wouldn't provide any sensitive information to > > them as they could be hard to track down if were facing fraud as > > presumably I wouldn't know their identity. > > But what if the certificate is only used to protect passwords for > webmail and doesn't need the ability to be found for fraud?
If I don't have any security requirements in my interactions with a site because I have no risk in them than it seems I may not find it very important to know who is on the other end of the session. Although as part of managing access to my webmail account I may prefer to have my password passed privately to the site, and for that to be useful I need to know I'm at the right site though in this case I just need consistency not a proper legal identity. Given a site that is careful not to change DNS names, and careful to share their keys across all machines that service it at all the locations they may have (Yahoo must have multiple points of presence with racks of machines at each), and the presence of some particular UI elements in web clients I don't need a professional identity checker. These are non-trivial requirements on the site operator but it would save them some money. I wouldn't be surprised if there is room for innovation here but I wouldn't forgoe all my other security concerns in favor of pursuing this functionality. > > Binary security can't deal with both situations simutaniously and > adequately, it needs to indicate visually the level of security... I couldn't agree more that visual feedback to the user is a good UI mechanism. I'll start a thread with some ideas that have been bubbling around my head - visual feedback plays prominently. _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
