Johnathan Nightingale recently presented his work on making website identity more transparent (and less confusing) for Firefox users. I downloaded his prototype extension to see for myself exactly where he was headed and I ended up becoming much more i…

Brian, bear in mind that before now, the CA’s name and thus its role and quality was hidden. If you think that Mozilla made mistakes in its root list, then I’d suggest mistakes can only be fixed if they can be seen. Browsers can expect to hear a lot more noise and face a lot more scrutiny on CAs if and when the brand is surfaced: if anyone sees a strange name, then they are motivated to investigate and comment, either positively or negatively.

It’s not reasonable for us to expect a browser to get it right every time, but if mistakes are hidden, nobody is encouraged to help. (Disclosure: I audit a CA.)

There is also the question of _when_ the CA verified the identity of the site. The EV guidelines state that certs last 12-18 months, IIRC, and the CA is only required to re-verify the identity of the website owner (not operator) once per year. That is a long time in Internet time.

Your stance against “Green means go” with respect to EV certs is right on. I have read through the EV requirement drafts. The EV verification requirements are heavily weighted favor of larger businesses. In fact, as of the current standards, ONLY corporations (not small businesses, and not sole proprietors or individuals) qualify. Furthermore, the EV verification process does nothing to verify the identity of the hosting providers or the payment processors for a website. A company could have an EV cert for a website that is running on a machine owned and operated by convicted thieves and still qualify, as long as said company has a phone that they answer in a businesslike manner–yes, that is what the EV requirements say!

I think that every EV cert should include a statement from the domain owner stating their privacy and security guidelines, and what procedures they have gone through the verify the statement (WebTrust-like audits, etc.) This would be analogous to the CA’s CPS statement, but user-oriented (i.e. not 200 pages of jargon). It would be signed (cryptographically) by the CA and the website, and firefox would retrieve it on demand. If the statement is missing, Firefox would say “The identity of this website was last verified on July 21, 2006 by ABE.ECOM. Neither ABE.ECOM nor the owners of this website have provided any assurances regarding the content of this website, your privacy, or anything else regarding the safety of using this website.” An abbreviated form of the CA’s CPS statement should be included as well–especially the parts where they disclaim any and all liability and refuse to warrant the service they provide.

This takes away a considerable amount of responsibility from Mozilla and give it to the CA and the website operator, the CA, and whoever Mozilla delegated CA verification to (WebTrust?). Then, Firefox just needs to include a single “How Safe is this Website?” button to show what the Website said, what the CA said about the Website, and what Firefox and/or Webtrust had to say about the CA. Which all boils down to, approximately, “nobody promises anything about anything.”

Personally I like the green bar, but I also liked the dancing banana idea.