This trust translates to:We develop TrustBar, a simple extension to FireFox (& Mozilla), that displays the name and logo of SSL protected sites, as well as of the CA (so users can notice the use of untrusted CA). I think it is fair to say that this extension fixes some glitches in the deployment of SSL/TLS, i.e. in the most important practical cryptographic solution.
Yes, because it makes the user notice what CAs the _browser_ has
decided the user _automatically_ accepts [1]. But there is a caveat. Can
you trust what trustbar shows you?
-- Trusting the TrustBar code (which is open source so can be validated by tech-savvy users / sys-admin)
-- Trusting that this code was not modified (same as for any other aspect of your machine)
-- Trusting the CA - well, not exactly; TrustBar allows users to specify for each CA whether the user is willing to display logos/names from this CA automatically, or wants to be asked for each new site. Only if the user selects `display logo/name automatically`, then he really trusts the CA in this regard, and still the brand (logo) of the CA appears (for accountability). I'll admit, though, that currently VeriSign is `trusted` in this respect by default (of course user can chnage this easily).
I don't think this is enough:And, of course, knowing what CA is being used is also possible without trustbar but requires a couple mouseclicks. Wouldn't it be better if Firefox/Mozilla simply put the name of the CA next to the lock icon?
a) not visible enough
b) not clear enough (what this means)
c) does not allow user to distinguish between different companies with cert from the same CA (i.e. you lose the identification of the site by name/logo and resort back to the SSL `identify by URL` which is too complex for naive users).
Thanks (also for the URL)! Amir Herzberg
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
