Ka-Ping Yee wrote:
On Mon, 18 Apr 2005, Ian G wrote:
Gervase Markham wrote:
It's like Michelin stars. You probably have to cook better food these
days to get 3 stars for your restaurant than you did in the 30s, but
three stars still means "the best available".
Michelen stars would be a perfect example. [...]
If michelin were to much it up, their brand is at risk,
and users would start following other brands.
It seems to me that the browser's job should be to provide the
infrastructure that makes it possible for people to establish
such rating brands, rather than to be held responsible for the
ratings themselves. The two purposes are separable -- (a)
consistent identification and (b) trustworthiness ratings.
Yes, indeed.
I believe the problem is that right now a lot of people are
expecting or led to expect CAs to do job (b), but they don't do
that. They only really try to do job (a), and do even that quite
poorly. Since the browser can take care of (a), CAs in their
current function are unnecessary.
The way the browsers are currently built, they
expect that a CA provides a cert and it at least
has something like a control-of-domain capability.
Now, it seems that given that, the CAs must play
their part in (a) too. I'm going to ignore the
alternate, because there is no support for it.
If CAs want to go ahead and
do (b), fine, but then they better start acting like it.
They have no incentive to do so, and even if they
did, they'd be ignored. People widely ignore the
fact that when Verisign says "trusted" it means
one thing, and when Comodo says "trusted" it means
another thing. Until this is fixed, there is no
point in (b) so we see what we see - a race to be
the one who sells the most control-of-domain certs.
This is rational behaviour on the part of CAs, and
is totally the browser's doing.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
