On 5/04/12 12:29 PM, Daniel Veditz wrote:
On 3/30/12 6:47 AM, ianG wrote:
I've been asking them for years to add the CA's name to the chrome.
But they still don't. Thus totally mangling any concept of who is
saying what to whom when why whether.
Most of the time I think that'd be a good idea, too. We sort of have
it, but not "at a glance" -- you have to hover over the identity
button or actually click it to see the CA.
If we did, though, which CA do we use? There's no space to show the
whole chain so our choices are the immediate EE issuer (which could
be faked if some other CA were badly compromised) or the root which
may not be all that useful. Of the two I'd pick the root as most
reliable
The root is the one that is responsible.
There isn't really a concept at the vendor level that we recognise the
sub-CA as separate brands. The original Mozilla policy never recognised
such a thing, and no CA has turned up and said "hey, guess what we're
doing!"
(If CAs want sub-CA names on the chrome, then they have to come and
negotiate that. And by the way, they should do that with full
disclosure, full discussion, full debate, not the
policy-arbitrage-then-grandfather thing that some CAs are hoping for.
This is why there is so much angst & pressure over on the policy group
to shut down the sub-CAs - no meaningfull response from the CAs.)
It wouldn't be that meaningful to most users (what is it? am I
expected to remember what it says on each site? should I worry if it
changes? sometimes sites do change legitimately so how do I tell?)
which is why our UX designers have kept it out of sight.
It would be meaningful to a vastly larger number of users than what is
happening now. One thing to remember - even children at 3 years old
know how to remember brand names. Annoying as it seems, brands are one
of the most powerful tools we have to get to users.
It would also solve the problem that most users just trust Mozilla to
make all their "trust" decisions. Notwithstanding the legal contract in
BR (*), as far as users are concerned, Mozilla makes the decisions. And
if Mozilla's decisions screw up, Mozilla has to fix it. That's how it
was with Diginotar - it was Mozilla's failure and Mozilla's fix.
Putting the CA's name on the chrome goes a long way to shifting the
responsibility for the CA's mistakes from Mozilla back to the CA.
iang
(*) BR's contract change at 18.2 is very helpful because it lays out
Mozilla's legal position, but it doesn't make it work in court as yet.
Mozilla has to make the contractual position into reality with the
users, else the contract isn't useful.
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
