The difficulty for the end user here is that the little lock icon is overloaded: it is taken to mean both "session is secured against spying" AND "session is with a trusted partner". One could argue that this confounds authentication (verifying the cert.) and authorization (asserting trust of the target site). One could also argue that end users should know better than to read it that way, but the UI is just too simple to do the job required and the protocol hasn't been supplying all the information that the user really wants.
The CA and browser folk (http://www.cabforum.org/forum.html) have been working on that and are about to roll out a fix, which they're calling Extended Validation. It looks like, for more money you get a certificate which certifies more about you such as your business' real-world name, and compliant browsers will display the additional information when you connect. This begins to pry off one of the two meanings of the lock. It is at least an interesting attempt. Maybe after a while we'll get browsers which allow us to craft explicit trust lists, so that we can have a little smiley-face or something next to the lock which indicates "you have explicitly told me to trust this object". -- Mark H. Wood, Lead System Programmer [EMAIL PROTECTED] Typically when a software vendor says that a product is "intuitive" he means the exact opposite.
pgpz4zisIJ0da.pgp
Description: PGP signature