This is being touted as representative of the CA and browser communities/vendors, when I'm guessing it's only encompassing a very finite view of security based around monetary value of it alone. As pointed out in the past (by yourself as well), browser SSL/TLS security extends beyond credit card payments alone...
Well, *I'm* not touting this as fully representative of the CA and browser vendors/projects. Speaking generally, the people who get exercised about the sorts of issues Gerv discusses in his draft paper are commercial CAs selling SSL server certs for e-commerce applications. I agree that this excludes non-SSL uses of certs, SSL uses not having to do with e-commerce, and non-commercial CAs including both non-profit CAs and government-affialiated CAs. It's focusing on just a piece of the overall puzzle, both because it's associated with the general phishing issue and because the e-commerce market is of the most interest to most (if not all) commercial CAs.
As I've said before, I don't think use of certs in general and SSL in particular should be artificially constrained to fit the perceived requirements of the Internet e-commerce market. To get back to Gerv's draft paper, I think his discussion is consistent with that approach: He's proposing leaving the existing browser CA/SSL model and UI in place for legacy CAs and certs, and basically creating an extension to the model and UI specifically for SSL uses with financial implications. Certainly one can quibble with the various details of his proposal; for example, it may be that it would be more appropriate to give special treatment to only one additional class of cert, rather than the two classes ("shopping" and "banking"). However this general approach is IMO worth discussing.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
