I would propose that when viewing a web site with a low assurance root CA, some kind of large ugly icon be displayed in the chrome, with a "tool tip" that says something like "This web site may or may not be who they say".
I would propose that there be a way to display the name & branding of the signing CA in the chrome when accessing a secure site, then letting commercial CAs fight it out in the marketplace trying to:
- Create a consumer perception of trust
- Convince merchants that consumers may care about how trusted a CA is
thus aligning the incentives of the players in the transaction.
Also, it's much better to allow customers to determine how trustworthy a CA is than relying on / creating a dependency on the editorial judgement of the software developers. Among other things, what will you do when CA X, which offers cheap certs and has a has a crappy validation process, asserts that they have a "high assurance" CA and threatens you with libel if you don't agree?
- Tim _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
