1. The reason there is a strong dominating player at
the moment is because there is no way to compete.
But the reason there's no way to compete is due to whose root certs are in the main browsers, not any other reason like branding or lack of it.
3. Incumbents don't currently do anything to justify their brands, basically because they don't have to. If they had to, there would be a shakeup in the marketplace. Those that are small, lean and mean would be much better placed to deal with the new branding issues than those that are large, and encumbered with the baggage of past mistakes.
But there can never be a proper market in certs, can there? If Amazon is secured by Verisign, I can say "Well, I don't trust Verisign", but if I want to buy from Amazon, I don't have much choice, do I?
4. Mozilla's mission is not to support or work against any particular supplier of anything. It is - as I recall from earlier discussions on the crypto list - to deliver the best product it can for the average user. So, if reinforcing the monopoly is the best way to secure the traffic of the user, then that's aligned with Mozilla's mission.
Fair point.
I don't see the problem. The user sees that they are different sites. She analyses the sites, and if they are bona fide, enters different pet names and carries on. When she gets phished over to https://www.barclaysbank.com/ and finds that the site might not be right, she doesn't petname it.
But surely the point about phishing is that https://www.barclaysbank.com looks totally genuine even if it's not.
I assumed the point about petnames is that the user "goes to their bank", but the petname doesn't appear, and they go "Huh?". Was I wrong?
to hide all the real information. So the problem with the above is to stop assuming that they are valid, and to insist that the user authenticates them in some fashion or other.
Using what evidence? Inspecting the website? The only sensible thing I can think of is comparing the URL with one printed in e.g. a magazine. But who would bother doing that?
Gerv _______________________________________________ Mozilla-security mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-security
