Fair enough. So let me ask a specific question: If the level of cert assurance is the key issue, do you believe that the binary security UI in combination with potential threats of phishing attacks justifies rejecting CAs that issue "domain validation only" certs, and removing any such CAs' root certs from the current default set?
Would it be possible for the browser to programmatically tell when an SSL connection is secured by a "domain validation only" cert? (I suspect not, but it's worth asking.)
One thing I've become more convinced of over the last few weeks is that our UI needs a "site identity verified" indicator which is separate from the SSL indicator. Site identity could be verified by SSL, but also if we used DNSSec to look up the name. DNS attacks are the next step in phishing as users get wiser.
So perhaps the solution is to stop showing the lock for such certs, and merely show the "site identity verified" indicator.
(FWIW, the indicator might be making the domain name in the status bar bold - but that's just off the top of my head; there may well be better UIs.)
If so, how would you justify doing this? (By which I mean, what is the detailed argument that would lead to this conclusion, expressed in terms appropriate for publicly justifying such a policy to everyone who might be affected by it?)
Thinking about it, it's certainly hard to justify maintaining both a binary security UI and keeping such CA root certs.
Second, as a future point we *do* have two independent products now, Firefox and Thunderbird, with two separate application domains, and even if we have a binary security model in terms of any given product it's not out of the question that we could have different models for different products, e.g., have a different default set of CA certs for Firefox than for Thunderbird.
Very good point.
But of course like many other suggestions this too depends on future product changes that we'd have to find developers to implement...
If the Foundation is serious about the security push this year, it should be hiring developers to work in this area. If we end up with a list of bugs they should fix and an order, so much the better.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
