Eddy Nigg (StartCom Ltd.) wrote: >> The User Interface in Internet Explorer 7. > What has the IE7 UI to do with Mozilla (Firefox)? We are interested in > how the Firefox UI is going to look and behave!
Browser manufacturers are cooperating (or in some cases copying) user interface elements on purpose to make it easier to educate people. The padlock is basically the same in most browsers. A pretty recent development is also the RSS icon that IE copied from Firefox. Since IE has the first(?) UI for EV certs, other browser manufacturers have some incentive to follow their lead unless they can think of something obviously better. > As you agree, that the CA industry recognizes more than just one or two > levels and the subscriber is making a decision on one of these levels, > the relying party must know, what these levels are. Our proposal is, to > give to the user (relying part) a better way to judge that. > > As you and others pointed out, there is nothing 100 %, not even in the > proposed EV certification. But what's important here is, that the user > knows the type of verification performed and make a decision if he/she > can risk / trust the information / amount or whatever is required to > share with the site operator. For example a user may find it sufficient > to risk a purchase of a small amount of money if the subscriber is > reasonable verified. But the same user would only risk a bigger amount > if the subscriber would have been thorough verified (EV). As domain > validated certificates should only be used for password login protection > and not for sharing critical personal information or money transfer, > today and in the future, the user will have no clue how to know about > it. Therefore our suggestion to improve this! Even though I consider myself security savvy, I'd rather not deal with multiple levels in the browser myself. SSL or not would have been great, but it's too late now. The next best thing is no SSL (everyone can snoop you), unknown validation SSL (password can't be snooped but beyond that it is hard to know anything else), and EV (more informative UI, have high(er) hopes of actually being able to sue somebody if something goes wrong). > EV means Extended Validation! There might be CA's which will not issue > EV certificates, nevertheless they perform valuable verifications. > Obviously we can't support changing the Mozilla CA policy, if this > means, that only EV enabled CA's will be supported by Mozilla! I haven't heard anyone say Mozilla would stop supporting non-EV certificates. I'd also consider EV certificates an overkill for a discussion forum, for example, where you mainly want to protect your login and password from snooping, so I certainly think there will still be a market for non-EV certificates. > There are various other valid standards for CA's and nothing, but > nothing will change the role of the browser vendor in this respect. EV > is just another standard! Auditing was always a job of a third party and > I don't see anywhere in the current CA policy, that Mozilla is supposed > to do the auditing. Nothing will change in that respect! You say that like standards have no value, and are all just useless pieces of paper. Sure, from browser vendors point of view there is not much difference. For EV certs you look for proof of different auditing process, and flip a different bit when adding the cert. But it (hopefully) can make a significant difference in the user experience. >> I would anticipate that the primary sanction would be removal of EV >> status, rather than being completely kicked out of the root list. This >> latter, nuclear, option has been theoretically available to us for >> existing CAs under the current system, but we have never contemplated >> using it - because removing e.g. Verisign would break half the SSL >> sites on the web. > Which would give Verisign or other similar CA's (all of them owned by > Verisign anyway) a license to do whatever they like! Your statement > above is extremely dangerous! Because you just said, that you are > willing to compromise half of the SSL enabled sites of the Internet, > because of their market share!?!?! Have there been cases where a CA has been consistently so bad that it should have warranted removal? -- Heikki Toivonen _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
