7 Dec 2004 13:37
Re: 2004 - The Year of the Phish
Gervase Markham <gerv <at> mozilla.org>
2004-12-07 12:37:37 GMT
2004-12-07 12:37:37 GMT
Ian Grigg wrote: > Good question. The answer: Branding. VeriSign > and other CAs would need to establish their brand > with the public. Verisign would need to act like > Intel or Coke or Ford and establish a brand that > speaks of trust. Isn't that just reinforcing the monopoly they currently have on SSL certs? And raising the barrier to entry for newcomers? > The problem is foistered on us somewhat by the PKI > design. At the moment, any cert signed by any CA > is assumed to be good by the software, but it's > pretty easy to see and to show that that is a really > bad assumption. Now, if we are going to have a PKI > where a CA is expected to be trusted, then that name > must be known by whoever relies on that trust (the > user). Or the trust has to be assessed by the user's software provider. > It's a bit like if I were to sell you a can of > Coke that was coloured green. I say it's coke, > but you know something's wrong coz you've always > had familiar red cans. That signal should be > sufficient to get the average user thinking a > bit more. I suspect the average user would (if you told them) just assume it was a promotion.(Continue reading)
RSS Feed