On 14/10/2009 02:04, Daniel Veditz wrote:
On 10/13/09 9:23 AM, Johnathan Nightingale wrote:
The temptation to attach UI to this problem sets off
"blame the user" alarms for me - do we think that uses will make better
decisions with this information? Like I say, I don't think we're at
WONTFIX on this question, but I don't think it's an easy problem to
solve correctly, either.
For the user this is merely informational (and therefore fully open to
the charge of clutter). The idea is to enlist site authors/owners in
pressuring CA's to step up their support so the uglybar on their site
goes away. As opposed to completely blocking the site at which point the
pressure is on _us_ for the CA's failure.
Every CA that is engaged in EV is already under pressure.
Every CA that does standard certs is also under some pressure.
Is this really the best use of resources? Of the patience of a few
million secured website users?
If you want to put CAs under pressure, ask Frank to send them all a
letter outlining the OCSP situation ... and letting them know that in
the future, OCSP is a popular option. Simple. One page, 100 emails.
Alternatively, if you want to do this, in order to avoid the bayesian
nightmare, you're going to have to code it up, test it, then do user
testing, then push it through the upgrade procedure, then deal with a
flood of false positives. Then potentially unroll the lot because you
got it wrong. Which is statistically likely.
If you want something more proactive, publish a list of who does great
OCSP. The CA gets its logo published if it passes the test. Elsewise
the red thumb, down.
iang
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
