As we all know, but apparently don't fully appreciate, the social aspects of security don't fall into a binary good/bad evaluation. This isn't a new key exchange protocol, where it can be objectively evaluated, ending up with a good/bad decision. It's an open source idea implemented by competent people, designed to address a real, and growing, concern on the web.
Instead of saying "neat, thanks" or "have you thought about this?" The list is filled with lots of carping about trust, wanna-be pundits referencing Thompson's ACM paper, etc. Sheesh! Why would anyone bother?
Here's a real-world clue: the folks who might really be helped by this, who might be saved from having their bank account raided, are *already* trusting click-to-install software. If some of them click and just trust this, their surfing might be a bit more secure, and their lives just a bit better.
Why would mozilla embed this? If they came here, to the putative experts, for an evaluation, they'd leave thinking Amir and company just invented Rot-13. It's not that. It's also not perfect. BFD -- you got anything better?
/r$
PS: A concrete suggestion for improvement: when showing the user the CA that certified the target site, include a two-line corporate summary and a link to their home page.
--
Rich Salz, Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
--------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
