What do you tell a user when he sees a restaraunt rating he doesn't recognise?
It depends. If he sees five stars, he can at least think "well, someone thinks it's very good, and it must be someone who a lot of people have heard of, otherwise the restauranteur wouldn't bother putting the stars out front."
Or, they could pick another restaurant. Or, they could take pot luck - after all, the downside's not so big. General health regulations make it pretty unlikely you'll get food poisoning wherever you eat.
However, in the world we are talking about, there's no implied "5-star" value in a particular CA logo. There's no way to pick another CA to secure your transaction. Taking pot luck is potentially much riskier.
This analogy doesn't work. The equivalent analogy would be driving to a store which required you to drive your merchandise home in a car of their choice, which had a greater or lesser likelihood of malfunctioning and crashing on the way home. You'd certainly need to know about Honda, Mack and Volvo trucks then! Or, to make life much easier for yourself, you'd need a "Which?" report in your hand which said "Honda and Mack trucks are pretty safe. Avoid Volvo".
Well, the thing about analogies is that they are never perfect. That's why they are called analogies; there is always some way to show they don't work.
Yeah, but this one isn't even close. Or rather, it's wrong in all the parts you were using to make points.
She goes to amazon and sees say verisign.
No, she doesn't. She goes to Amazon, spends half an hour shopping, goes to "Secure Checkout" and _then_, when she has a lot invested in the relationship, she sees Verisign.
Also, you've picked an easy example, because Amazon and B&N's merchandise is basically identical. Try a harder one - say a trendy clothing store.
is fine." So she buys a book. A bit later on she goes to her bank and sees GeoTrust. Well, that's no good she says, so she asks the same person and he says, "GeoTrust is fine." So now she knows two. ... and on and on.
So instead of a CA doing the vetting, we have her mate down the street? Some might argue that's not an improvement.
Gerv _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
