Heikki Toivonen wrote: > I disagree. The users should not care who the CA is. We should have a > system where the user can trust what they see regardless of the CA. It > seems to me this is what EV is about. > > Even if we showed the CA to the user, there is no way for the normal > user to find out how trustworthy the CA is. They will never hear > anything about how the CA is operating. > Perhaps! But please, lets display the most important information and make them available easily! The CA issuer is only one of them. > > Please show the math that shows this is too expensive. I don't have any > experience in running a CA so I don't know where the costs come. Well, I > can see travel or a use of local agent will add to expenses, and > insurance (where a big CA could get a lower insurance premium), but is > there anything else that would really lock the smaller players out of > the picture? > This type of certification is just going to be expensive. The overhead of the costs in relation to somewhat weaker verified identities is much higher, requires perhaps a different and bigger infrastructure and so on. We didn't make our estimates yet. Obviously there is nothing wrong with better verification procedures and earning more on it, if companies and individuals are going to buy this type of certification and pay for it! However this has to be proved first and the only incentive for it would be the green address bar....I doubt, that any subscriber is willing to pay (more) for the real value of verification performed (actually any kind of it), if there is no obvious reason for it.
> > We all seem to agree that current certificate practices are a confusing > mess, and the best thing a user can rely on is domain validation. So > there is obviously room for improvement. Yet the only improvement > suggestion I was able to get from you was that we should show the CA's > name. Anything else? > That was exactly the opposite. Currently only the issuer name is displayed with mouse over the padlock. We made a proposal yesterday, how to work on an improvement for handling of certificates in relation with the UI. We have made several suggestions and there might be even more from others. I hate to say it, but there is a competing browser offering most important information with one click. More detailed information with a second click. Mouse over effects are also applied, plus default information is displayed in the address bar. I'd like to see Firefox on that level first, before painting the address bar with new colors (So it's much easier to implement). -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security