Frank Hecker wrote:
I agree with notion that the
expectation the market has set for users is that the padlock or gold
key or gold address bar etc means a site is good enough for commerce
and banking.
I think the reverse is true as well: The expectation has been set that
only commerce and banking sites need concern themselves with using SSL
and SSL certificates. I think this is probably the key demand-side
constraint on the growth of low assurance certificate services.
Right. I'm not sure what the foundation of that
expectation is. And I'm not sure why MF particularly
thinks it important to believe in "only commerce and
banking" for security, given that most of the people
who work on it are volunteers, and are explicitly not
part of any commercial process, and the product is
neither sold for those processes nor sold at all.
But it is a pervasive assumption that extends all the
way across the PKI/x.509 field. Apache for example.
Thunderbird's S/MIME assumes a commercial model of cert
sales. Presumably S/MIME just took the lead from SSL.
But, it doesn't extend beyond the SSL/PKI/x.509 field to
any great measure; most of the other crypto publishers
that I know of bend over backwards and tie ourselves in
knots to get non-commercial people to use the software.
(E.g., Peter Guttman, PGP, Cryptix, BouncyCastle,
CryptoRights, OpenSSH,....)
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
