On 10/23/2012 07:21 PM, Michael Jenkins wrote: > I don't think trust is that nebulous an idea for many things that people do > with browsers. We've got to stop convincing people that "this certificate > is okay", and start informing them "it's okay to enter a credit card number > here".
browsers should not try to indicate "it's okay to enter a credit card
number here" without asking for a lot more information from the user --
even if you could determine that a given business was "official",
there's no way for a browser to know that this business is one that the
user actually is willing to give their credit card to.
The same word of caution holds for many other kinds of communication
beyond financial details. Different users face different threats and
have different perceptions of acceptable risk.
> I often wonder why the browser doesn't have the ability for me to label my
> trust anchors with labels like "bank" and "school", and then indicate to me
> when a certificate validation has terminated in a labeled trust anchor. How
> I apply those labels is my policy - based on prior experience, or obtaining
> a "fingerprint" from a letter from the bank, or what have you. It doesn't
> even prevent me from working with other banks, unless I want to limit
> myself.
What you describe is known as "petnames" [0]. There was even a browser
plugin for it, back in the day [1].
If you want this functionality, perhaps resurrecting that plugin would
be a useful course of action?
Regards,
--dkg
[0] http://www.skyhunter.com/marcs/petnames/IntroPetNames.html
[1] http://www.waterken.com/user/PetnameTool/
signature.asc
Description: OpenPGP digital signature
_______________________________________________ therightkey mailing list [email protected] https://www.ietf.org/mailman/listinfo/therightkey
