As a consumer you want someone else to promise you it's safe. As a supplier, you would be utterly insane to do that, without doing a lot of acturial (insurance) calculations up front and taking twice the likely amount as a premium.
I am not suggesting that we make any assurances that the CA is not making; I am suggesting we more clearly represent the CAs position in the UI. As you know, CAs take different positions on this issue.
OK, but the chance goes down rapidly if it is a scam, and this applies both to Verisign's $1300 platinums as Dodgy Dan's $10 certs. The only determining factor is that a scammer won't bother spending $1300, but if you make that your measure, all historical evidence points out that you are going to be shocked ...
The way to reduce phishing is to increase the cost of setting up a phishing site, both in terms of cash and revealed info (pushing them onto SSL, forcing them to reveal info) and decrease the value of the site (OCSP). The closer you get the two average costs, the less phishing there will be, because it will make the bad guys less money, and they'll go back to shipping drugs instead.
Actually, I think the CAs might have an answer to that question.
They do. Put their logo on the chrome and let them beat each other up in the marketplace on the question of brand versus quality.
Actually, I explained my point about logo confusion to a representative of a big CA this week, and he agreed with me absolutely. But I agree there's a spectrum of opinion here.
Try it! You'll get a bunch of different opinions on what to do and never get anywhere, would be my suggestion.
I will try it.
So (just to be clear) a corollary of this position is that we should admit any root cert to the browser store without any sort of vetting or checking.
Yes, technically that is a corollary! I don't want to open old sores, but ...... Consider that the proposals and the way browsers work is that a dodgy cert or a bad CA or a low number of bits are all considered *worse* than unprotected HTTP (which is indeed much better for phishers) then, actually, accepting any root cert without vetting would be an improvement in security terms over totally unprotected HTTP.
I agree that the issue outlined in the first half of the sentence needs to be dealt with, but the second half is not a valid conclusion from that.
To which you say, if you don't know who GeoTrust is, then you shouldn't risk your credit card.
So she won't be buying much, then!
We're obviously going round in circles here. Time to stop, I think. I'm getting dizzy.
Gerv
_______________________________________________ Mozilla-security mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-security
