Secondly, what you are pointing at is a *derivative* problem. The primary problem is that the CA issued a duff cert. How do you solve that? Well, there has to be some pain somewhere, and the closer it is to the users, the more likely the pain will actually respond to user security needs. So, yes, some users are going to have some pain. That's part of the process.
Thirdly, your grandfather could think like that, and probably does - ask him what car brands he knows. Then ask him if he knows anyone who buys Ford every time ... and ask him what would happen if he saw the guy go and buy a renault or a seat?
You've made such analogies before; but I again repeat they the brand visibility is vastly different in both cases, and note that "the CA I use to protect my connection to Amazon" is not a consumer choice like "the car I buy".
Fourthly, what exactly are you saying in terms of not showing the cert? Are you saying that you believe that when a company screws up, it should be dealt with behind the scenes? That the users shouldn't know that UserBust is continuing to issue duff certs, and it is stuck in the root list of 90% of issued product?
Fundamentally, when we had no market share, we had no leverage. When we have some, we'll have some. So how about this for an idea to kick around:
- CA Foo issues a bunch of duff certs to phishers
- People lose money
- The MF decides, pragmatically, that CA Foo has sold too many certs to yank their root cert, due to user inconvenience.
- The MF instead declares that CA Foo's root cert will be yanked in 6 months, unless they clean up their act, and that sites should not rely on CA Foo's certs working in 15% of browsers 12 months from now.
- The resultant storm of publicity and uncertainty and doubt causes CA Foo registrations to drop, and CA Foo to clean up their act, and beg us to issue a joint press release to that effect.
It might work...
In the absence of even the ability (never mind the understanding and the will) to make that choice, I'm not convinced that adding the CA name is worth the real estate and added UI complexity.
They have the ability. They use it every purchase of they make. Ask anyone who is in marketing.
I meant the ability to choose the CA who protects their connection to a particular site - an ability which you've admitted they don't have.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
