> Ian Grigg wrote: >>>I am not suggesting that we make any assurances that the CA is not >>>making; I am suggesting we more clearly represent the CAs position in >>>the UI. As you know, CAs take different positions on this issue. >> >> Right. So there needs to be an easy way to >> show the CA / position. > > Position, yes. CA, no. ;-)
Well, all I can suggest that this is a hard problem. The only solution I know of is the logos / branding / reputation approach which works for most all retail markets. Perhaps you could come up with some example "positions" so we could play around with them? [discussion on a CA that doesn't like his logo :] > I explained why I didn't think putting logos on the chrome was a good > idea, and he agreed absolutely. OK! Well, there's not much I can say to that other than put him in touch with me and I'll discuss with him why he doesn't want to put logos on the chrome of browsers. (BTW, I wholly agree that users will face some confusion. For a while... and then it will migrate to the point where they won't be confused, it will be as if it was always that way, and they'll be very upset if you dare to take away the logos. That's a necessary cost of getting to the next level of security, IMHO.) ... >> Until she learns! Nobody forces her to shop. It's >> not our God given mission to make her buy those goods. > > I think a browser which said "Hey, don't shop online until you've learnt > the following 35 logos and assessed their trust levels by, I don't know, > reading these Certificate Practice Statements" wouldn't have much market > share. I agree. That's not what is being suggested. What is being suggested is that the browser relate the statement "this is X.com" to the person who made the statement "CA.com". I wouldn't suggest the browser say any more than that because it is not authoritive in the question of whether a user should shop online. iang _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security