The market works all this out. There will be some settling. In each country there will be like 1-3 big national brands. Then there will be the globals, the "Intels" of certification, which we can assume would include VeriSign. Then, in each sector there will be specialists; so there might be 1-3 big adult CAs, then there will be 1-3 gambling CAs, then 1-3 banking CAs...
And what do we tell a user to do when he sees a CA logo he doesn't recognise?
The average user will need to know about 8, right, but there will be many more out there, she just won't enter into their worlds that much, much as a Honda buyer never needs to know that both Mack and Volvo make trucks.
This analogy doesn't work. The equivalent analogy would be driving to a store which required you to drive your merchandise home in a car of their choice, which had a greater or lesser likelihood of malfunctioning and crashing on the way home. You'd certainly need to know about Honda, Mack and Volvo trucks then! Or, to make life much easier for yourself, you'd need a "Which?" report in your hand which said "Honda and Mack trucks are pretty safe. Avoid Volvo".
Perhaps. The level of brand awareness required for this feedback mechanism to work is that a person must visit https://www.gap.com, realise it's secured by Foo CA, know that Foo CA has issued the odd dodgy cert, and then go and shop at https://www.sears.com instead. I'm sceptical that CA brands will ever achieve that level of brand awareness that overrides the often million-dollar-backed brand awareness of companies.
They will! If only given the chance. Or they will go out of business leaving fewer brands for the consumers to deal with. The market will solve this problem nicely.
Again, the analogy doesn't hold, because consumers cannot choose to "not use" a particular CA they don't know - the CA is chosen by the shop, not the consumer.
Gerv _______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
