Ha! I didn't know about that page... excellent, it rounds out the Top Tips on Security on my blog. Added, thanks.
I currently think it's mostly true - it's certainly good advice. However, we may be changing that spec for 1.1.
(I'm hoping that in the interim Gervase or someone will add the name of the CA on to that little status bar thing.)
I've been thinking about this. Say we did add the name. Say some company screwed up, and got a bad reputation. Say lots of other sites changed to buy certs from someone else. Wouldn't that cause a lot of false concerns? "Hang on a minute, I think this is ebay.com, but ebay.com are signed by USERTRUST, and this site is signed by Verisign...". (Let's leave aside for a minute that my Grandfather couldn't think like that in a million years.)
We're back onto an issue that I think we've discussed before - how does the user benefit from having the CA name there? If they want to visit a particular shop, they have a choice of doing so while protected by SUPERTRUST, or not at all. They can't say "Hmm, I don't trust SUPERTRUST, I want Verisign to protect me."
In the absence of even the ability (never mind the understanding and the will) to make that choice, I'm not convinced that adding the CA name is worth the real estate and added UI complexity.
Has anyone looked at the new Opera browser? I saw the press release about their anti-phishing SSL cert display, but I don't have a copy myself.
I hope to soon.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
