On Saturday 21 May 2005 04:39, Nelson Bolyard wrote: > Under what circumstances do you want to display in the status bar > the names from the cert rather than the name the user typed?
>From an information point of view, you want to display the name from the cert every time. You already have a display for the user's typed in name. If for example the status bar were to display the name from the URL then it would serve no purpose, it would simply be duplicating existing info, and it would be simply easier to replace it with a big tick or a big ... padlock. Worse, it might create a danger of a false sense of security, especially if people where told to check that it matched the URL above. > And under those circumstances, which of the potentially many names in > the cert will you display? Thankfully, if we can ignore the | then that becomes quite tractable. > If the name that was entered (typed, or in a link) matches one of the > regular expressions in the cert's list, doesn't it suffice to display > that name? If the name matches one from the list perfectly, then displaying that one name makes sense. If there is a wildcard, then an issue arises - how to show that a wildcard has been matched. I'd suggest some sort of typographical convention to indicate a wildcard feature, such as bolding, or italics, or underlining of one or either parts. This is important because phishing can do things like get a sensible domain like america.com and then use bank.america.com as the eventual domain. One question I have: in the certificate is it possible to do a wildcard for the next upper TLD level? I.e., is it possible for a *.com to be issued as a certificate? And what does Firefox do when it sees a *.com cert? If it is acceptable as a cert, then I'd strongly suggest looking closely at how to reveal this very powerful cert in the status bar. iang -- Advances in Financial Cryptography: https://www.financialcryptography.com/mt/archives/000458.html _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
