As noted in The Register, Verisign teams up with Microsoft to enhance the user experience of Internet Explorer 7 when browsing SSL-protected sites. Verisign will sell High Assurance certificates to sites that pass a more stringent identity verification than is currently the norm. When it encounters such a certificate, IE 7 will turn the address bar green in addition to displaying the usual padlock. A Phishing Filter (Philter?) turns the address bar red when the user accesses a known phishing site.
While I hope that they include enough visual cues for the red/green colorblind among us, I don’t dislike this idea. Is it a scam? Not necessarily. Details about what a High Assurance or Extended Validation certificate actually comprises are scarce, but it’ll probably take the form of a certificate attribute that Verisign will set on these mo’ expensive, mo’ better certificates. Such an attribute can be set by any CA, parsed by any browser and can be ignored by the enormous installed base of credit card wielding, revenue generating users of older browsers. Whether or not a company drinks the Microsoft/Verisign Kool-aid, they hopefully won’t stand for breaking backwards compatibility. On the other side, it’s the responsibility of the Certificate Authorities to only set this attribute on their mo’ better certificates, for which they in turn can charge mo’ money.
This whole thing ties into a new concept of Trust. The situation is not black and white anymore. Trust is the new green. Or yellow, or red. You can get a cheap certificate by proving that you can ping an e-mail back and forth to the CA. This shows them that you have access to e-mail on the domain, which is good enough for them as an (automated) identity verification. Whether said domain is practically undistinguishable from that of an actual business falls outside this check. One would dearly hope that applicants for a High Assurance certificate undergo more scrutiny than that.
Earlier this month at ApacheCon, I attended a very interesting talk by Lisa Dusseault about Federated Identities. As she talked about rate-limiting the creation of centrally verified identities to thwart spammers, she came up with the Fifty Dollar identity. The knowledge that the party you are talking to has a non-trivial sum of money behind their identity record might positively affect the trust you place in that identity. I see much the same happen with this new server-side certificate paradigm: cheap normal certificates you trust a little, and mo’ Green mo’ better certificates you might trust more. So far, browsers have not given us any idea about the quality of a site’s certificate. It’s either trusted, or the browser puts up a slew of scary dialogs. The red/green address bar might bring some nuance to this concept and put a more human face on the concept of the identity of a web site.
My blog now has a Books Page, with some recommended titles. I’ll add more in the near future, so check back!
Comments Off
I have been to Austin a number of times over the past couple of years. This past ApacheCon was the first time I actually stayed downtown rather than in one of the hotel gettoes on the perimeter. Hence, this was the first time I got a real taste of the absolutely crazy party scene on 4th and 6th streets… bar after bar after bar, every single one with a live band, each one louder than the one before. I guess this is why they call it the Live Music Capital of the World…
One of Austin’s many attractions is the bat colony at Congress Avenue bridge. This is a colony of Mexican Free-tailed Bats that comes north every year to give birth, and settles under the Congress Avenue bridge over Lake Austin through the end of summer. Around sunset, they wake up and fly out to feed on insects. Bat-watching is a popular activity and you can call the Bat Hotline (on the Batphone?) to find out when they are epxected to appear. We hear that the sky turns black with bats as up to 1.5 million of them take to the air.
We went to see them with a bunch of people on the last evening of the conference, but unfortunately the bats did not appear. We only saw four or five or so… perhaps they had taken the night off.
Comments Off
So, having returned from ApacheCon Austin, let’s take stock and see how I did on the To-do List. I did catch up with a bunch of people. I completely missed the Infrastructure committee meeting, and successfully avoided giving a Lightning Talk. Sally’s Media and Analyst training was a good eye opener, and we wound up being interviewed by a Real Analyst. As noted elsewhere, the talks and keysigning were completely hectic. We went to watch the Spazmatics on Wednesday night, and saw the Old 97s on Friday night at Stubbs Barbecue. And, oh yes, beer was consumed.
Finally, when the sign at the airport concessions says that the muffins and pastries are “Baked Fresh Daily”, it means they aren’t. Actually, they may be baked fresh daily, they just take a five day journey between the bakery and the airport concession. Pfyech!
Comments Off
Yesterday was packed to distraction. I gave both my talks and hosted the keysigning session.
The talks went OK… the content of the first one is kind of old, but sixty people showed up so it there must be a need. I discovered one big hole as I went along: I talk about Apache 2.x Multi-Processing Modules, but never actually list the available options. Some graphics would be nice as well in that section, and I can lose a couple of the detail slides.
I’m not happy with the way the KeySigning went. Several people who mailed me their keys turned out to not be on the list, which is just unfortunate. I seem to achieve a higher level of disorganization every time I do this, and feel a need to break that trend.
However, having all of my sessions on the first day leaves me to enjoy the rest of the conference without having obligations hanging over my head. This morning I attended a talk by Rich Bowen and John Coggeshal that went into the supposed animosity between the Apache and PHP communities. Very informative.
Comments Off
I arrived in Austin this afternoon for ApacheCon US 2006. Since everyone is doing it, let me post a modest to-do list:
- Reconnect with folks I haven’t seen since Dublin
- Reconnect with folks I haven’t seen since San Diego
- Infrastructure Group meeting Tuesday morning
- Media and Analyst Training Tutorial on Tuesday afternoon
- Prepare for my talks and present them on Wednesday
- Host the PGP Keysigning on Wednesday night
- See several bands while I’m here
- Try to avoid giving a Lightning Talk
- Drink beer
Not a lot of entries that actually have anything to do with code. Perhaps I can find some code this week to which I can contribute. I’ll try to regularly blog during the conference, but we’ll have to see how well this resolution, or any of the above, will hold up. Fortunately, several of the action items are in full progress, including the “Drink beer” part.
I finally got around to signing the PGP keys I verified during the ApacheCon EU 2006 keysigning session in Dublin. This is good, because next week in Austin we will have another Keysigning Session. To help expedite the follow-up, I have posted the procedure and script I used to get all the verified keys signed and submitted.
Comments Off
