Good question. The answer: Branding. VeriSign and other CAs would need to establish their brand with the public. Verisign would need to act like Intel or Coke or Ford and establish a brand that speaks of trust.
Isn't that just reinforcing the monopoly they currently have on SSL certs? And raising the barrier to entry for newcomers?
The problem is foistered on us somewhat by the PKI design. At the moment, any cert signed by any CA is assumed to be good by the software, but it's pretty easy to see and to show that that is a really bad assumption. Now, if we are going to have a PKI where a CA is expected to be trusted, then that name must be known by whoever relies on that trust (the user).
Or the trust has to be assessed by the user's software provider.
It's a bit like if I were to sell you a can of Coke that was coloured green. I say it's coke, but you know something's wrong coz you've always had familiar red cans. That signal should be sufficient to get the average user thinking a bit more.
I suspect the average user would (if you told them) just assume it was a promotion.
Oh, this part is clear - it's based on the fact that the user went to the site on their own volition in order to open an account. They typed in the URL, hopefully from some safe place. They have already made a meaningful decision about their bank, all the browser needs to do is relate that decision back to right site, time and time again.
I think it would certainly be good to have the UI indicate whether this was the first time you'd visited a particular SSL site or not. But that would require keeping a lot of history.
Bookmarks take a user to her site. Once there, they disappear in relevance. The petnames suggestion is that the name that the user labelled their bookmark would be displayed on the chrome, quite prominently.
So how do you solve the https://www.ibank.barclays.co.uk / https://www.barclays.co.uk / https://www.barclays.com problem?
Yes, it would be a lot of extra stuff; but given the SSL signal - this site is important - and the amount of money being lost to phishing, then a fairly big change to the way browsers think about user interfaces is indicated.
Do you have any evidence for "the big amount of money lost to phishing"?
Gerv _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
