Gervase Markham wrote:
Ian G wrote:
Secondly, what you are pointing at is a *derivative*
problem. The primary problem is that the CA issued
a duff cert. How do you solve that? Well, there has
to be some pain somewhere, and the closer it is to
the users, the more likely the pain will actually respond
to user security needs. So, yes, some users are
going to have some pain. That's part of the process.
Thirdly, your grandfather could think like that, and
probably does - ask him what car brands he knows.
Then ask him if he knows anyone who buys Ford
every time ... and ask him what would happen if
he saw the guy go and buy a renault or a seat?
You've made such analogies before; but I again repeat they the brand
visibility is vastly different in both cases, and note that "the CA I
use to protect my connection to Amazon" is not a consumer choice like
"the car I buy".
The point I am making is that users understand
branding. Their understanding of branding gives
them information that they can use. You're right
to point out that that will use this branding info
in different ways.
In this case, they can use the information to understand
the risks. We're not asking anyone to "choose a CA".
Instead, we're asking the users to a) choose to avoid
CAs and merchants where the CAs have a bad rep,
and also to notice when a CA changes. If a CA changes,
that's a signal that they may be being spoofed.
If they're being spoofed via the same CA, then the
reputation issues kick in. But they will only kick in
if the user has a reason to get upset at the CA,
which means it must be branded to them, in their
minds, on the chrome.
Fourthly, what exactly are you saying in terms of not
showing the cert? Are you saying that you believe that
when a company screws up, it should be dealt with
behind the scenes? That the users shouldn't know
that UserBust is continuing to issue duff certs, and
it is stuck in the root list of 90% of issued product?
Fundamentally, when we had no market share, we had no leverage. When
we have some, we'll have some. So how about this for an idea to kick
around:
- CA Foo issues a bunch of duff certs to phishers
- People lose money
- The MF decides, pragmatically, that CA Foo has sold too many certs
to yank their root cert, due to user inconvenience.
- The MF instead declares that CA Foo's root cert will be yanked in 6
months, unless they clean up their act, and that sites should not rely
on CA Foo's certs working in 15% of browsers 12 months from now.
- The resultant storm of publicity and uncertainty and doubt causes CA
Foo registrations to drop, and CA Foo to clean up their act, and beg
us to issue a joint press release to that effect.
It might work...
Sure, something like that.
In the absence of even the ability (never mind the understanding and
the will) to make that choice, I'm not convinced that adding the CA
name is worth the real estate and added UI complexity.
They have the ability. They use it every purchase
of they make. Ask anyone who is in marketing.
I meant the ability to choose the CA who protects their connection to
a particular site - an ability which you've admitted they don't have.
The reason for showing them the CA is not to
"give them choice in CAs" but to allow them to
develop a sense of the risks they are taking. If
the see SafeCA being used at a bookshop then
they will put their details in a form... if they see
DodgyCA then they may decide it's not worth
the risk; maybe they know DodgyCA is bad, or
maybe they know it wasn't there last time and
that's a bad signal.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
