Nelson B wrote:
Choosing to be a low-assurance CA is a legit choice, IMO, as long as the low assurance CA doesn't then issue certs used in applications that require high assurance.
Is there something that can be done to add extra bits to the server certs, atm when I see "Class 3" server certificates in the browser it's purely informational, why not mark those certificates high trust with bits in the nss libs and then have the chrome show this information, maybe instead of a padlock open/closed, have a set of different icons that show class 3 issued certs visually as being different then Class 2 or Class 1, at present CAcert only issues from the 1 root cert, but we do issue different classes of certificates, at present the length of time is the give away... 180 days = low trust, 720 days = high trust... It's really a no brainier to take that 1 step further and issue them under different root certs etc...
Again, binary security can't deal with this other then with informational fields and they are more or less useless unless people actually pay attention to them, which I doubt most people will... So make it blatantly obvious for them, this is good for web mail, this is good for credit cards, this is somewhere in the middle of them both...
--
Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! http://e164.org - Using Enum.164 to interconnect asterisk servers
"In the long run the pessimist may be proved right,
but the optimist has a better time on the trip."
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
