Eddy Nigg (StartCom Ltd.) wrote: > Heikki Toivonen wrote: > The identity of the CA would add value only if the user had any way of > > actually being informed what it meant and how trustworthy they are in > > their business. > Wait a minute! When you open the tab of the certification details, > doesn't it say what it means? Do you need special education for this? It > shows the details of the certificate - subscriber and issuer of it - and > any other note the CA has bothered to include. So if you read "Persona > not validated", "Domain validated only" or "Fully Verified" doesn't it > tell about it? More than that, it might help, if you can compare the > name and details of the subscriber with the web site you visit...
Most users have no idea. *I* have no idea what kind of checks CAs do to issue most certificates. (I know domain validation, and I've seen what documentation some CAs ask when issuing a personal email certificate.) Suppose I look at cert details and I see Persona verified by StartCom. I don't know what StartCom would do to verify Persona. I can just about guarantee that that most people won't understand what subscriber and issuer mean in this context. I can assure you my parents don't know what domain means (they know a web address and email address, though). I wouldn't go so far as to call users stupid, but it is obviously out of most people's area of familiarity and interests. >> Some requirements for that to happen would be for major news outlets >> reporting that, and writing in the non-tech section explaining what >> people should be doing to avoid being bitten by that. I just don't see >> that happening, because the major news item of the day is Britney's >> divorce instead... >> > I think you paint the casual user just too "stupid". If he knows to > operate a computer and browser, than he knows to read the certificate > details. Otherwise lets just omit them perhaps? If the user gets burned > by a web site, how does he know what to do, if he is indeed so helpless > and uneducated? Not stupid, but this is an area that they know nothing about and which is not obvious at a glance. If we required "internet driving licenses" before people went on the net then understanding this could be a requirement (one can dream). I do think it makes sense to show some additional information from the certificate about the site the user is trying to access, like company name etc. But information beyond that gets into area that most people just don't know about. People that are the victim of a crime go to the police. -- Heikki Toivonen _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
