Gervase Markham wrote: > > But what you are not, Eddy, is a member of the Mozilla community - or, > at least, not until about a week ago and not in any context apart from > this one. Thank you for that one....However StartCom provides two free and open source operating systems (which includes Mozilla software) to the public - provides free and low cost digital certification to the Internet community at large. Even if currently not contributing patches to Mozilla, we don't feel, that we are NOT part of this... > >> You may call this domination, but I'm prepared (and perhaps others) to >> invest time and effort in order to make the handling of digital >> certificates by Mozilla/Firefox better. > > That's great. Would you be willing to hire someone to help write code > to implement whatever UI design our UI design group picks, even if > it's not the one you want? I don't need to hire developers, we have them in-house. It could be, that StartCom will provide patches to the Mozilla code, so currently I see our contribution - if you will - by contributing in this discussion. > > Why did you not feel it was so important, say, a month ago? (This is a > fair question, I think.) Because this wasn't a priority, since no UI changes were proposed in relation to digital certificates. Once you opened this thread, we thought that there is perhaps better a better way of improving the UI. And yes, we have an interest in how this browser works! > > Or rather, those who shout loudest don't like it. I've had the great > joy of interacting with many of that group before, and I know where > they stand. However, at this stage I am interested in hearing from > Mozilla community members such as Heikki and dbaron. However I'm getting the feeling, that you are not listening at all. If this is not an open process, than you should perhaps send a mail to the few people, you know who will support your idea and get on with it. Or perhaps advice right from the start: /We are not interested in hearing opinions and suggestions./ Personally I guess, we would have asked our questions and not waste any more time with it. > >> 2.) Organize a "task group" of interested individuals and parties, which >> should discuss and make recommendations and offer various options on >> how digital certificates should be presented in the future. Up for >> discussion might be every proposal and the groups responsibility would >> be to make its recommendation until a certain date. >> I could imagine proposals for this group, such as the address bar, >> display of information, saving of fingerprints (ssh like), error >> behavior and more. > > The Mozilla project doesn't tend to work in such a structured way. But > I know our UI designers are going to be looking at the security UI > over the next few weeks. I hope they will make this group aware of how > the process is going to work. So perhaps it might be a good idea to start to work on this issue in a structured way? Perhaps this would be a more efficient and clean approach!
>> No! But you don't answer on what I said...did you realize what you >> actually proposed? Sincerely? You actually suggested, that StartCom (or >> other smaller CA's) could be kicked out for a mistake, but Verisign will >> stay there, no matter what, because of market share. > > No, I didn't propose that. Where did I propose that? >From your post on the Mon, Nov 6 2006 4:57 pm: but we have never contemplated using it - because removing e.g. Verisign would break half the SSL sites on the web. > >> Except that, the >> StartCom CA strifes for 100 % adherence to the CA policy (which is the >> promise we give to the subscriber and relying party) and beyond! > > As I'm sure Verisign does also. Sure, however issuing a Class 3 certificate to a company or individual called "CLICK YES TO CONTINUE" simply shows something extremely broken. This is not a "domain validated" cert, but Class 3 code signing! And this didn't happen in the nineties, but just recently...I don't know....Verisign is not my business, but if somebody would have looked even once at this request, before CERTIFYING, this simply could not have happened! So much about that... > >> There can be various audit schemes, however I would like to see >> alternatives to the WebTrust auditors which is in my opinion an >> expensive monopoly. There are valuable alternatives and perhaps >> definitions available, which would create also some competition in this >> field! > > Then suggest an alternative that I can propose! As suggested previously, the Mozilla CA policy would provide such alternatives. > > But again, this request is probably best made directly to the Forum. We'll certainly try to do that, however if Mozilla would support that together with other browser vendors (perhaps KDE), than the chances will be higher to having that implemented in the specifications. Provided that this is Mozillas view as well. > > Oh, I see - you mean many _CA_ businesses will have difficulty > complying. Because clearly, a site visit is not particularly > problematic for the customer. Right, it's a CA related challenge...Obviously I'm looking at it, how a CA (including us) is going to comply with it...And what if there is no trustworthy agent available in that region? Quite obvious the CA must send somebody in to do this job. However this drives the costs upwards, which the client has to pay. In such a case, the client might prefer not to make the deal and the CA is going to loose business...or being very attempted to skip this requirement! I'm very skeptical about this one, because if a standard is set too high, it will be circumvented when not convenient! Simply as that... >> Yes! A new idea for this would be, on a first visit at an SSL enabled >> site to present the user with a window with important and informative >> details. Not a warning popup, but a friendly message, displaying the >> most critical information the CA has bothered to include in the >> certificate. > > Right. Straight away, you've distracted the user from their primary > task (buying something) to make them read a bunch of what they see as > irrelevant information. How many of these do you think it'll take for > them to just start closing them without reading, and how many more for > them to get really annoyed and switch to IE? It's an idea. There can be other, perhaps better suggestions as well. As proposed earlier, perhaps there need to be some work done in order to provide something better. I didn't say, this is the only solution, it might be one of them...Obviously making the user aware, that he is visiting a secured site and knows the details with whom he is going to make business is certainly not distracting the user, but quite the opposite. It's a service the browser should provide, not hide. > >> Otherwise why should a CA bother to include this and other >> information, if you have to click through 5 buttons in order to get a >> clue about the subscriber. > > Because a user actually only needs this information extremely rarely - > when they've got a problem with the site. Really? Are you buying anywhere without checking from whom and what you get? What are the guaranties you receive? What if you don't receive the goods? I don't think, that your argument is correct... > >> No! Because YOU can't decide what's safe for ME and any other user. > > Oh, yes I can. I've decided that 56-bit keys are not safe but 128-bit > are. I've decided that SSL2 is broken and shouldn't be supported. I > decide a load of things. This are technical, crypto related decisions. However you seem to decide, which verification is good and which not, without taking into consideration, other, most likely valid procedures? > >> Otherwise if this is what you are saying, I can sue YOU, if you are >> going to take the decision for ME and something happens! > > Perhaps the US legal system is now so broken that this might happen, I > don't know. I doubt it. But certainly not in any other country. I'm not sure about that. Perhaps check... > > Security UI is opinion. Informed opinion, but nevertheless opinion. > Just like a certificate. A digital certificate is certainly NOT an opinion....A CA certifies according to the expected procedures and does not provide opinions....Did you think about what you just said? ;-) > >> Huuu? So why are the decision makers not involved in this discussion? I >> mean, we spend time and effort in order to help and shape an important >> part of a security related component (mainly policy wise), if after all >> any of our inputs aren't being considered seriously?!? Can you clarify >> the decision making process and use of this thread perhaps? > > There is no concrete process. This is as clear as it gets :-) OK, perhaps define a process so we know, if and how to invest our time? -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390 -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390 -- Regards Signer: Eddy Nigg, StartCom Ltd. Phone: +1.213.341.0390
_______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
