Gervase Markham wrote:
Ian G wrote:
What is it you are going to put next to the
lock? It seems to me that the statement is
potentially large and bulky...
The amount:
www.paypal.com ($1000) [8]
(where 8 represents a closed lock)
OK. Now, the first issue there would be that
PayPal is not guarunteeing the $1000, so it
would need to have the CA listed there as
well, to avoid confusion. (No bad thing!)
You could do half of what I suggested earlier
(and I think it was suggested that IE/Opera
do this) and put a Warning icon next to the
lock that was the same formfactor. Clicking
would then bring up (any) critical display in
a generic form.
But if this practice becomes widespread, many sites would have warning
icons. And an icon which signified "warning" would be unnecessarily scary.
If somebody is using a 'critical bit' then I think
we might be wise not to hide that. To me, it's
pretty darn scary - as a security guy, I can't
think of anyway to ring fence it. It's like saying
that any CA can issue a protocol-change without
review by the protocol people.
Also, any such icon wouldn't be much smaller than printing the limit.
If it is just the number, then fine. This would
then leave us with the second issue, being the
cost of extracting the number and printing it.
But, can you draw the line in the sand?
What happens if IangInsidiousIssues sells
certs with the crit in it saying $100,000 but
inside the crit text, there is a caveat saying
that the limit only applies if spent in my
shop buying my goods?
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
