Gervase Markham wrote:
Of course, we might be able to make it work by reducing the number of
CAs to (say) 8...
The market works all this out. There will be some
settling. In each country there will be like 1-3
big national brands. Then there will be the globals,
the "Intels" of certification, which we can assume
would include VeriSign. Then, in each sector there
will be specialists; so there might be 1-3 big adult
CAs, then there will be 1-3 gambling CAs, then 1-3
banking CAs...
The average user will need to know about 8, right,
but there will be many more out there, she just
won't enter into their worlds that much, much as
a Honda buyer never needs to know that both Mack
and Volvo make trucks.
this is an area where
the browser providers can force the issue a bit by enabling this
feedback loop especially by exposing the site's identity and the CA
who did the authentication, but even without effort by the browser
providers the press will pick this up once as it becomes a more
practical concern.
Perhaps. The level of brand awareness required for this feedback
mechanism to work is that a person must visit https://www.gap.com,
realise it's secured by Foo CA, know that Foo CA has issued the odd
dodgy cert, and then go and shop at https://www.sears.com instead. I'm
sceptical that CA brands will ever achieve that level of brand awareness
that overrides the often million-dollar-backed brand awareness of
companies.
They will! If only given the chance. Or they will
go out of business leaving fewer brands for the
consumers to deal with. The market will solve this
problem nicely.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
