New SSL Certificates, now with Green which is More Safer!

Posted on by

As noted in The Register, Verisign teams up with Microsoft to enhance the user experience of Internet Explorer 7 when browsing SSL-protected sites. Verisign will sell High Assurance certificates to sites that pass a more stringent identity verification than is currently the norm. When it encounters such a certificate, IE 7 will turn the address bar green in addition to displaying the usual padlock. A Phishing Filter (Philter?) turns the address bar red when the user accesses a known phishing site.

While I hope that they include enough visual cues for the red/green colorblind among us, I don’t dislike this idea. Is it a scam? Not necessarily. Details about what a High Assurance or Extended Validation certificate actually comprises are scarce, but it’ll probably take the form of a certificate attribute that Verisign will set on these mo’ expensive, mo’ better certificates. Such an attribute can be set by any CA, parsed by any browser and can be ignored by the enormous installed base of credit card wielding, revenue generating users of older browsers. Whether or not a company drinks the Microsoft/Verisign Kool-aid, they hopefully won’t stand for breaking backwards compatibility. On the other side, it’s the responsibility of the Certificate Authorities to only set this attribute on their mo’ better certificates, for which they in turn can charge mo’ money.

This whole thing ties into a new concept of Trust. The situation is not black and white anymore. Trust is the new green. Or yellow, or red. You can get a cheap certificate by proving that you can ping an e-mail back and forth to the CA. This shows them that you have access to e-mail on the domain, which is good enough for them as an (automated) identity verification. Whether said domain is practically undistinguishable from that of an actual business falls outside this check. One would dearly hope that applicants for a High Assurance certificate undergo more scrutiny than that.

Earlier this month at ApacheCon, I attended a very interesting talk by Lisa Dusseault about Federated Identities. As she talked about rate-limiting the creation of centrally verified identities to thwart spammers, she came up with the Fifty Dollar identity. The knowledge that the party you are talking to has a non-trivial sum of money behind their identity record might positively affect the trust you place in that identity. I see much the same happen with this new server-side certificate paradigm: cheap normal certificates you trust a little, and mo’ Green mo’ better certificates you might trust more. So far, browsers have not given us any idea about the quality of a site’s certificate. It’s either trusted, or the browser puts up a slew of scary dialogs. The red/green address bar might bring some nuance to this concept and put a more human face on the concept of the identity of a web site.

Be Sociable, Share!

Bat and Switch

Posted on by

I have been to Austin a number of times over the past couple of years. This past ApacheCon was the first time I actually stayed downtown rather than in one of the hotel gettoes on the perimeter. Hence, this was the first time I got a real taste of the absolutely crazy party scene on 4th and 6th streets… bar after bar after bar, every single one with a live band, each one louder than the one before. I guess this is why they call it the Live Music Capital of the World…

One of Austin’s many attractions is the bat colony at Congress Avenue bridge. This is a colony of Mexican Free-tailed Bats that comes north every year to give birth, and settles under the Congress Avenue bridge over Lake Austin through the end of summer. Around sunset, they wake up and fly out to feed on insects. Bat-watching is a popular activity and you can call the Bat Hotline (on the Batphone?) to find out when they are epxected to appear. We hear that the sky turns black with bats as up to 1.5 million of them take to the air.

We went to see them with a bunch of people on the last evening of the conference, but unfortunately the bats did not appear. We only saw four or five or so… perhaps they had taken the night off.

Be Sociable, Share!

Back from ApacheCon

Posted on by

So, having returned from ApacheCon Austin, let’s take stock and see how I did on the To-do List. I did catch up with a bunch of people. I completely missed the Infrastructure committee meeting, and successfully avoided giving a Lightning Talk. Sally’s Media and Analyst training was a good eye opener, and we wound up being interviewed by a Real Analyst. As noted elsewhere, the talks and keysigning were completely hectic. We went to watch the Spazmatics on Wednesday night, and saw the Old 97s on Friday night at Stubbs Barbecue. And, oh yes, beer was consumed.

Finally, when the sign at the airport concessions says that the muffins and pastries are “Baked Fresh Daily”, it means they aren’t. Actually, they may be baked fresh daily, they just take a five day journey between the bakery and the airport concession. Pfyech!

Be Sociable, Share!

Thursday at ApacheCon

Posted on by

Yesterday was packed to distraction. I gave both my talks and hosted the keysigning session.

The talks went OK… the content of the first one is kind of old, but sixty people showed up so it there must be a need. I discovered one big hole as I went along: I talk about Apache 2.x Multi-Processing Modules, but never actually list the available options. Some graphics would be nice as well in that section, and I can lose a couple of the detail slides.

I’m not happy with the way the KeySigning went. Several people who mailed me their keys turned out to not be on the list, which is just unfortunate. I seem to achieve a higher level of disorganization every time I do this, and feel a need to break that trend.

However, having all of my sessions on the first day leaves me to enjoy the rest of the conference without having obligations hanging over my head. This morning I attended a talk by Rich Bowen and John Coggeshal that went into the supposed animosity between the Apache and PHP communities. Very informative.

Be Sociable, Share!

Things To Do at ApacheCon

Posted on by

I arrived in Austin this afternoon for ApacheCon US 2006. Since everyone is doing it, let me post a modest to-do list:

  • Reconnect with folks I haven’t seen since Dublin
  • Reconnect with folks I haven’t seen since San Diego
  • Infrastructure Group meeting Tuesday morning
  • Media and Analyst Training Tutorial on Tuesday afternoon
  • Prepare for my talks and present them on Wednesday
  • Host the PGP Keysigning on Wednesday night
  • See several bands while I’m here
  • Try to avoid giving a Lightning Talk
  • Drink beer

Not a lot of entries that actually have anything to do with code. Perhaps I can find some code this week to which I can contribute. I’ll try to regularly blog during the conference, but we’ll have to see how well this resolution, or any of the above, will hold up. Fortunately, several of the action items are in full progress, including the ?Drink beer? part.

Be Sociable, Share!

Incentives for Cleaner Air

Posted on by

Matt comments on my mentioning that the State of California is sueing auto makers for emissions. He proposes that instead of the manufacturers, the individual motorists should pay for putting bad stuff into the air: ?Taxing at the pump hits the person who is causing the emissions and taxes them according to how much they put out.?

Maybe that’s what we need to do. The basic idea is to reduce the amount of carbon dioxide emitted into the atmosphere. The question is how to get the best results with the least effort and the greatest political viability. Where does one start? Power plants would be a good central point at which to sequester carbon dioxide emissions, much more so than individual cars. Electric cars would be great, but they haven’t really arrived despite some promising developments.

It’s really all about incentives. High gas prices and the perk of driving solo in the carpool lane have fueled (ahem) Hybrid vehicle popularity in California. Should we make gas prices even higher to drive more motorists inito hybrids? That would not be a very popular election platform. Going after auto makers may be a more viable approach. Fair? Maybe not. But it doesn’t need the popular vote.

Interesting web link: the EPA makes available fuel economy and emissions data for recent vehicles. This is another good place to check when considering buying a new or used car.

Be Sociable, Share!

Gore: Tax Pollution

Posted on by

Reuters mentions a speech by Al Gore where he proposed to levy taxes on pollution caused by companies rather than on the wages they pay their employees. The full text of his speech at NYU is also available.

Meanwhile, the state of California sues the world’s six largest auto makers for damages caused by global warming.

While stuff like this may seem far-fetched, it actually makes sense in a way. It goes against the notion that you can just dump your exhaust into the atmosphere and watch it waft away to go bother someone else. We pay, sometimes a lot, to have our waste water treated, and our solid waste hauled away and neatly put all in the same place where it can someday be a golf course. Meanwhile, we are all blowing smoke into the air without any cost or personal consequences. On what planet is that OK?

Be Sociable, Share!