Eddy Nigg (StartCom Ltd.) wrote:
No! But you don't answer on what I said...did you realize what you
actually proposed? Sincerely? You actually suggested, that StartCom (or
other smaller CA's) could be kicked out for a mistake, but Verisign will
stay there, no matter what, because of market share.
No, I didn't propose that. Where did I propose that?
Except that, the
StartCom CA strifes for 100 % adherence to the CA policy (which is the
promise we give to the subscriber and relying party) and beyond!
As I'm sure Verisign does also.
For example Mozillas own CA policy would be a good start.
No, I mean particular alternative audit scheme (such as ETSI). Did you
have one in mind?
There can be various audit schemes, however I would like to see
alternatives to the WebTrust auditors which is in my opinion an
expensive monopoly. There are valuable alternatives and perhaps
definitions available, which would create also some competition in this
field!
Then suggest an alternative that I can propose!
But again, this request is probably best made directly to the Forum.
Overhead operational costs and requirements such as physical check of
the premise will make this type of certification certainly expensive, so
expensive is a relative term...Additionally many businesses will have
difficulties complying to every criteria.
Which criteria do you think are particularly difficult, and how would
you change them?
For example: _16. Verification of Applicant’s Physical Existence_ might
be problematic, specially a visit at the premise from the CA point of view.
Oh, I see - you mean many _CA_ businesses will have difficulty
complying. Because clearly, a site visit is not particularly problematic
for the customer.
Such things can be outsourced; there has been much discussion of this on
the mailing list.
If we are going to try and educate the public to look for a trust
indicator, we need a trust indicator which is worthy of the name.
Which in your opinion a green address bar is?
I think that EV will be a much more reliable indicator of the level of
safety in transacting with a website than the lock, yes.
Can you talk me through the thought processes of someone trying to
make that decision, if the UI is as you state?
Yes! A new idea for this would be, on a first visit at an SSL enabled
site to present the user with a window with important and informative
details. Not a warning popup, but a friendly message, displaying the
most critical information the CA has bothered to include in the
certificate.
Right. Straight away, you've distracted the user from their primary task
(buying something) to make them read a bunch of what they see as
irrelevant information. How many of these do you think it'll take for
them to just start closing them without reading, and how many more for
them to get really annoyed and switch to IE?
Otherwise why should a CA bother to include this and other
information, if you have to click through 5 buttons in order to get a
clue about the subscriber.
Because a user actually only needs this information extremely rarely -
when they've got a problem with the site.
No! Because YOU can't decide what's safe for ME and any other user.
Oh, yes I can. I've decided that 56-bit keys are not safe but 128-bit
are. I've decided that SSL2 is broken and shouldn't be supported. I
decide a load of things.
Otherwise if this is what you are saying, I can sue YOU, if you are
going to take the decision for ME and something happens!
Perhaps the US legal system is now so broken that this might happen, I
don't know. I doubt it. But certainly not in any other country.
Security UI is opinion. Informed opinion, but nevertheless opinion. Just
like a certificate.
first place, if you are going to hide it away!? I didn't say overloaded
information, but currently the Firefox browser isn't providing ANY
information. What does it help to popup "Authenticated by StartCom Ltd."
when hovering over the padlock! Does the casual user know, who StartCom
is? Or Comodo? Or Geotrust? Or...
Indeed. That's why the CA name is not in the main chrome, and why I have
consistently argued against putting it there. It's great that the CAs
recognise this, even if the IanGs of this world don't.
Huuu? So why are the decision makers not involved in this discussion? I
mean, we spend time and effort in order to help and shape an important
part of a security related component (mainly policy wise), if after all
any of our inputs aren't being considered seriously?!? Can you clarify
the decision making process and use of this thread perhaps?
There is no concrete process. This is as clear as it gets :-)
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
