Duane wrote: > Robert Sayre wrote: > >> I believe it presents a higher barrier. Since there is no technical >> advantage to EV, I am not sure that will matter, once ways of >> manipulating the EV system are discovered by criminals (does anyone >> think they won't figure something out?). I don't think Mozilla should >> jump in right away. This is unpleasant, because it would then appear >> that IE has a "feature" we lack. So, I understand the desire to go ahead. > > As usually I've come to the conclusion that mozilla reps are asking for > feedback, but don't really care for answers as their minds are either > made up, or just don't care.
I fail to see this. What is not changeable? What do you propose instead? > This is going to be another click through popup, everyone will associate > yellow v green, as most sites I going to be yellow long after whatever > is passed by the powers that be, so everyone might as well keep going > with the connection to this site because we've become numb with > conditioning that yellow is good and the padlock is still there which > I've always been told to look for. Some people have pushed for making SSL errors such that you cannot just click OK and proceed to the site. I'd like to see that happen. The thing that seems to be holding this back is the fear of misconfigured sites becoming inaccessible. In any case, that can be done with or without EV certs. > What's really sad here is instead of leading security mozilla are happy > to follow like sheeple, instead of embracing university researchers in > ways of making browsing safe, they are embracing and extending > Verisign's bank balance. Hmm, so is your suggestion that instead of EV we should use something like petnames instead? I don't think petname-like systems alone can solve the problem nor do I think EV alone can solve the problem. I think we need both. This thread is about discussing EV. > As some have pointed out on the anti-fraud list (Gerv is also on that > list), identity isn't a good thing to make strong because then it only > leads to identity fraud, and what he fails to grasp is the fact that no > matter how strong or good he thinks this system is others will still > find loop holes *if* they even feel it's necessary. I fail to find the logic in not letting me know the identity of the website operators I want to do business with. Everyone understands we cannot make anything 100% safe. But we can make things safer than they are now. -- Heikki Toivonen _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
