Hi Gervase, Gervase Markham wrote: > Alternatively, we could start again with a new UI indicator, this one > actually backed by an objective standard and a minimum level of > vetting. Which is the idea behind EV. > May I suggest an idea / proposal for a real improvement for the UI in conjunction with SSL certification, which perhaps will help the casual user best:
It is very common in the CA industry to mark digital certificates in some form in order to differentiate between various verification procedures. This is usually done by adding some text to the O or OU field in the subject line of a certificate. CA's do the marking voluntarily, because of the lack of a different display mode in software, except the binary padlock. At the low end we have "Domain Validated" certificates and at the high end will be the proposed EV certificates. Both of them have a place in the SSL landscape, specially if used for the correct purposes. But there is also a range in between, which seems to be thrown together with the lower end. My suggestion would be to define a standard for marking, such as the OID for policies, which would allow the CA to mark certificates accordingly. Guidelines for correct marking could be defined (EV is being defined already by the proposed standard). 1.) White address / tool bar and padlock ON for Domain / Email validated only (Class 1). 2.) Yellow address / tool bar and padlock ON for Identity / Business validated (Class 2 & 3). 3.) Green address / tool bar and padlock ON for EV certificates (Class 4). 4.) Self signed, temporarily accepted or unknown issuer even a different color?? Of course there are certain problems with this, such as adherence by the CA's to correct marking. Obviously EV certificates must be treated differently (authorized list etc), but there might be ideas and solutions to this issue. The user however will gain the most, since he can understand in an easier way, what type of certificate the site uses. Casual users sometimes don't know how to look at a SSL secured web site or its certification details, but with an easy color scheme (and some explanation by hovering over the padlock) could give a good indication. Issuing CA's will have it easier to mark their different certificate levels and most likely support it. Other browser vendors might follow as well. It could be worth the effort which needs to be put into this proposal... A second proposal would be, to display the most important certificate details (subject line and issuer) by hovering over the pad lock (in the address bar and status bar). This would display the user with most information without being technically skilled to double click on the padlock -> Select Security Tab -> Click View -> etc, etc. As mentioned already, text within the subject line, such as O and OU would be displayed and show the various, sometimes important details. -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security