Tim Dierks wrote: > Nelson B wrote: > >> I would propose that when viewing a web site with a low >> assurance root CA, some kind of large ugly icon be >> displayed in the chrome, with a "tool tip" that says >> something like "This web site may or may not be who they >> say". > > I would propose that there be a way to display the name & > branding of the signing CA in the chrome when accessing a > secure site, then letting commercial CAs fight it out in > the marketplace trying to: > - Create a consumer perception of trust > - Convince merchants that consumers may care about how > trusted a CA is thus aligning the incentives of the > players in the transaction.
Yes, perfect. In the protected area of the browser display, there should be a branding area. In this area there should be icons, imagery, and anything else that could be standardized across the certs.
For example, this branding area could display a simple black ADH for an anon-Diffie-Hellman connection (if it were supported, which in general it is not), and a gray bland name for a self-signed cert. CAs could then fill the box with something more exciting than these boring standard symbols.
Mozilla's task would then be much simplified in just making sure that the new DodgyCA graphics collection didn't look anything like HotDangCA's collection; something that the CAs would also help with.
Only when the user is presented with the different CA brands is any form of security of site identity generated, beyond the very basic encryption layer.
Another really useful display in this branding area would be the number of times the cert has been seen, and recent activities (dates, etc).
> Also, it's much better to allow customers to determine > how trustworthy a CA is than relying on / creating a > dependency on the editorial judgment of the software > developers. Among other things, what will you do when > CA X, which offers cheap certs and has a has a crappy > validation process, asserts that they have a "high > assurance" CA and threatens you with libel if you don't > agree?
Or, CA Y, which offers expensive certs and a strong validation process, gets sold to CA X?
Fact of the matter is: trust is a profoundly personal and private matter, not a mere decision that can (or should) be made on behalf of users by the Mozilla team.
Cheers, -JC! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
