All of these CAs and browser vendors should read "Security and Usability" before they meet. I'm skeptical of the idea of a high-assurance certificate. How much more complex do we need to make the Web for users who don't (and never will) understand principles of security? After all, they shouldn't have to.
CAs should start looking for IP and other tactics that MAKE THE PROCESS EASIER for end-users (commerical and consumer).
And, IMO, they're looking for the fix in the wrong place. Phishing starts with bait. Bait (currently) comes in the form of e-mail. They should be looking at better ways to provide secure (read: authenticated) e-mail to commercial and consumer users -- based on good, solid CAs.
CAs should start looking for IP and other tactics that MAKE THE PROCESS EASIER for end-users (commerical and consumer).
And, IMO, they're looking for the fix in the wrong place. Phishing starts with bait. Bait (currently) comes in the form of e-mail. They should be looking at better ways to provide secure (read: authenticated) e-mail to commercial and consumer users -- based on good, solid CAs.
Easier said than done, I'm sure...
[ reply ]
Link to this comment: http://www.securityfocus.com/comments/newsbriefs/77/290#290