Re: PositiveSSL is not valid for browsers

Wed, 31 Dec 2008 08:35:36 -0800 

On 31/12/08 01:31, Ben Bucksch wrote:

On 30.12.2008 23:34, Kyle Hamilton wrote:

That difference /can/ be communicated to the end-user, unobtrusively.


Sure, but they can't use that information. I just asked a friend whether
she knows what VeriSign is - she never heard of it. If you have no
concept about how all that works, no idea what a MITM attack is, how can
you make a decent decision?




Right.  She doesn't know what Verisign is because the browser won't let 
Verisign brand itself to her.  I guess it would be different if Verisign 
were a search engine :P but we are in the department of the central URL 
bar, not the right-hand search bar.




Besides, the amount of colors we can use is limited. ;-)




Um, countries and flags say different.  Favicons say different. 
Corporate logos say different :-)




We'd be happy if people would even check the domain name in the URLbar
and the lock icon!

Most people here were surprised to learn that Comodo has 7000 resellers



They do?  Nice for them.  Where is this disclosed?


How many certs are they selling?  If the Danish group were indicative we 
are looking at around 700k.




- how is a user supposed to know all the levels of verification, esp. as
we seem to find new lows all the time? The problem at hand is that
Comodo's RAs under PositiveSLL simply made no verifications at all,
although they were *legally required* to do so.



Do you mean "contractually required" ?  Minor point.



How are we supposed to
match that to UI? We can't. It's simply a failure of the CA. They get
worse and worse and worse. It's *not* a UI problem. We just have to yank
them, it's that simple. Then, users don't have to worry.




Put Comodo's name on the chrome.  They will never fluff it again, I 
guarantee it, or sue me.



(OK, that's a bit of a joke, please don't take it literally.  The thing 
is that they have zero incentive to do it correctly.  Give them an 
incentive?)



(For those looking for a "biased" argument or an "advocacy" approach in 
the above, note that I published this argument frequently before my 
current role as auditor of a CA.  It's just business common sense.)



iang
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto























					Reply via email to