Eddy Nigg (StartCom Ltd.) wrote:
Here is an article concerning that 1 % statement:
http://www.theregister.co.uk/2006/10/25/verisign_extended_validation/
That article is mostly rubbish. Even the people quoted in it have said
they were taken out of context.
Eddy Nigg (StartCom Ltd.) wrote:
Not yet obviously! There are certain indications in the draft, which
suggest high costs for the CA and therefore for the subscriber.
Higher, certainly.
Can you be more specific than various reasons, and explain the
reasoning behind your most likely?
Many
Alaric Dailey wrote:
and we aren't talking about Jumping to because MS and Verisign
invented this new type of cert?
No, they didn't. It was invented by a consortium of CAs and major
browser vendors.
And aren't High Assurance certificates (as they exist now from
places like Comodo)
On Tue, 7 Nov 2006, Gervase Markham wrote:
Additionally, one reason why phishers haven't been using SSL is because
browser makers and others aren't screaming look for the lock; and the
reason they aren't doing that is because they know phishers will then
start getting domain-validated certs
Eddy Nigg (StartCom Ltd.) wrote:
I think
everything the user needs to make a decision about trusting a site needs
to be visible by default.
So you agree with me? ;-)
On the principle, but perhaps we want different things present by default.
Requiring the user to mouse over a control
gets
On Tue, 7 Nov 2006, Gervase Markham wrote:
Robert Sayre wrote:
We will probably arrive at this state if we are at all serious. We need
to have a clear definition of obvious disregard and the consequences,
so the event doesn't become a negotiation.
Well, it's never a negotiation, because
Gervase Markham wrote:
Number of businesses != number of transactions, as I've pointed out
You can point out the same thing over and over, but where is the proof
of your statement?
Sure the top 1% will have a lot of transactions, but the other 99% will
have combined a lot of transactions as
Robert Sayre wrote:
I think it should stop us from covering our UI in green bars and locks
that are trivial to spoof in content. We know users aren't very good at
distinguishing chrome from content in the first place, and even my bank
site looks like a scam--it's got some corny lock gif right
Gervase Markham wrote:
Your axe-grinding just makes you more likely to be ignored. These are
not Verisign's proposals, spin via The Register notwithstanding.
Just like your axe grinding against Ian?
If law enforcement is unwilling to prosecute fraud, then all that's left
is reputation. For
smime.p7s
Description: S/MIME Cryptographic Signature
___
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
Gervase Markham wrote:
surrounding it. The latter is pretty important. If banks, browser
makers, CAs, consumer advocacy groups and online shops are all saying
Banks... maybe, although they already brand with verisign to try and
convey some kind of trust, but that's mostly a joke because the
On 11/7/06, Eddy Nigg (StartCom Ltd.) [EMAIL PROTECTED] wrote:
Duane wrote:
Since phishing exists happily with no SSL, why would they start using
SSL all of a sudden now that EV's are being discussed?
Somehow I have to agree with this statement. EV certificates solve
perhaps partially a
Ka-Ping Yee wrote:
An effective revocation mechanism, temporary or
permanent, for CAs and for individual certificates, would probably help
to some degree.
That is a good idea. Perhaps the policy should be to revoke 10,000
individual certificates issued immediately before and after a
Gervase Markham wrote:
Now is not the time to again bring up my personal issues with various
proposals which have been made in the past; but I would comment in
general that often, while proposals have a good understanding of
security, they have a less than perfect understanding of usability.
Eddy Nigg (StartCom Ltd.) wrote:
Gervase Markham wrote:
For example: _16. Verification of Applicant’s Physical Existence_ might
be problematic, specially a visit at the premise from the CA point of view.
I actually want the CA to do this check on my behalf. There may be ways
for the CAs to
Hi David,
So I represent a certification authority, I am also a user, a Linux
vendor and supporter of Open Source in general! Except the initial
questions and suggestions which were CA related and about which Gerv
either provided sufficient information or promised to take care of, my
proposals,
On Wed, 8 Nov 2006, Duane wrote:
What I find amusing is the fact that even after attacks in the wild that
hides the status bar in MSIE and shows an image which fakes the status
bar and lock, they still want a uniform interface to make it easier for
fraudsters to fake in future.
I think some
Ka-Ping Yee wrote:
But if certificate revocation is going to work, doesn't it have to be
implemented by the browser? Couldn't there be a role for Mozilla to
play here?
There already are mechanisms for that. CRL and OCSP. Unfortunately they
are not on by default (various issues with CAs and
Eddy Nigg (StartCom Ltd.) wrote:
manually. OCSP is turned _off_ by default, I think. An improvement would
be to use the CRL distribution points identifier and import the CRL
automatic.
Actually this wouldn't be an improvement and there is various reason why
CRLs were replaced with OCSP, and
19 matches
Mail list logo