Robert Sayre wrote: > I believe it presents a higher barrier. Since there is no technical > advantage to EV, I am not sure that will matter, once ways of > manipulating the EV system are discovered by criminals (does anyone > think they won't figure something out?). I don't think Mozilla should > jump in right away. This is unpleasant, because it would then appear > that IE has a "feature" we lack. So, I understand the desire to go ahead.
As usually I've come to the conclusion that mozilla reps are asking for feedback, but don't really care for answers as their minds are either made up, or just don't care. Until numerous conditions have been met forcing all sites doing some form of business into using EV certificates (and paying through the nose for it), people will continue to use cheap certs to operate, and phishing sites will continue not to use certs at all, and so what is gained unless you not only have an approach for how to issue EV certs compared to enforcing their use? This is going to be another click through popup, everyone will associate yellow v green, as most sites I going to be yellow long after whatever is passed by the powers that be, so everyone might as well keep going with the connection to this site because we've become numb with conditioning that yellow is good and the padlock is still there which I've always been told to look for. This is where the scammers will win, because to get the majority across you would have to have a low price point, and that isn't going to happen. What's really sad here is instead of leading security mozilla are happy to follow like sheeple, instead of embracing university researchers in ways of making browsing safe, they are embracing and extending Verisign's bank balance. As some have pointed out on the anti-fraud list (Gerv is also on that list), identity isn't a good thing to make strong because then it only leads to identity fraud, and what he fails to grasp is the fact that no matter how strong or good he thinks this system is others will still find loop holes *if* they even feel it's necessary. -- Best regards, Duane http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://e164.org - Because e164.arpa is a tax on VoIP "In the long run the pessimist may be proved right, but the optimist has a better time on the trip." _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
