Gervase Markham wrote:
However, such negative consequences are provided without too much of the
"publically" from your sentence above. "Publically accountable" has, at
least in the past, been associated with putting CA names in the chrome.
Could we push the accountability onto websites here as well (coming back to the
idea of "who are the CA's customers?")?
In other words, for CA public accountability to work in this scenario,
the following has to happen: user shops at site Foo Corp. User spends
half an hour filling their basket. User goes to the checkout, and finds
that it's secured by Snake Oil CA. User has a strong enough
understanding that Snake Oil CA has a bad reputation that they throw
away their basket and go and shop elsewhere.
So an alternate proposal is the user gets to the checkout, and gets a nice
message from the browser saying,
"The organization which says this site is safe to shop at is known
to lie. Sending this site money could be very dangerous."
Still sucks for the user, but once the site discovers this is happening they'll
be either banning browsers or switching CAs pronto. Question is which. ;)
-Boris
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
