Gervase Markham wrote:
Ian G wrote:
Ha! I didn't know about that page... excellent,
it rounds out the Top Tips on Security on my
blog. Added, thanks.
I currently think it's mostly true - it's certainly good advice.
However, we may be changing that spec for 1.1.
(I'm hoping that in the interim Gervase or someone
will add the name of the CA on to that little status
bar thing.)
I've been thinking about this. Say we did add the name. Say some
company screwed up, and got a bad reputation. Say lots of other sites
changed to buy certs from someone else. Wouldn't that cause a lot of
false concerns? "Hang on a minute, I think this is ebay.com, but
ebay.com are signed by USERTRUST, and this site is signed by
Verisign...". (Let's leave aside for a minute that my Grandfather
couldn't think like that in a million years.)
Well, for a start, think it through. Most sites will not
change their certs. Only a few will actually waste the
remaining time .. until renewal. But some will; and
these some will cause the pressure on the company.
New companies will go somewhere else, as the scandal
is fresh in mind. That's the pressure we want.
Secondly, what you are pointing at is a *derivative*
problem. The primary problem is that the CA issued
a duff cert. How do you solve that? Well, there has
to be some pain somewhere, and the closer it is to
the users, the more likely the pain will actually respond
to user security needs. So, yes, some users are
going to have some pain. That's part of the process.
Thirdly, your grandfather could think like that, and
probably does - ask him what car brands he knows.
Then ask him if he knows anyone who buys Ford
every time ... and ask him what would happen if
he saw the guy go and buy a renault or a seat?
Fourthly, what exactly are you saying in terms of not
showing the cert? Are you saying that you believe that
when a company screws up, it should be dealt with
behind the scenes? That the users shouldn't know
that UserBust is continuing to issue duff certs, and
it is stuck in the root list of 90% of issued product?
We're back onto an issue that I think we've discussed before - how
does the user benefit from having the CA name there? If they want to
visit a particular shop, they have a choice of doing so while
protected by SUPERTRUST, or not at all. They can't say "Hmm, I don't
trust SUPERTRUST, I want Verisign to protect me."
Right. But, bear in mind - their relationship with
their site is far greater than with any CA. What
happens is if the site is an online bank, they decide
they want one or two or three CAs. If it is a record
shop, then maybe half a dozen. If it is an online mail
service, then *any* cert will do.
Somebody's going to establish themselves as the
"safe enough for online banking" CA. Others will
dominate the mail space. Yet others will concentrate
on small internal sites.
Users are capable of analysing what it means to
use a recognised cert and and when not to. They
just have to be given the chance, and get comfortable,
make a few mistakes, etc.
In the absence of even the ability (never mind the understanding and
the will) to make that choice, I'm not convinced that adding the CA
name is worth the real estate and added UI complexity.
They have the ability. They use it every purchase
of they make. Ask anyone who is in marketing.
Has anyone looked at the new Opera browser? I
saw the press release about their anti-phishing
SSL cert display, but I don't have a copy myself.
I hope to soon.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
