Question: secure third-party attestations about web sites ?

All,

During some of the discussions about HTTPS, the point was raised that HTTPS
gives you only an assurance about the identity of the site and the privacy
of your communication with that site. It tells you nothing about the
security and privacy properties of the site itself.

It occurred to me that there are many third-party organizations, eTrust or
any of the anti-virus people for example, that do aim to give users
information about the security and privacy properties of sites (both
positive and negative). But there is, as far as I know, no secure mechanism
for these attestations to be presented to users: case-by-case policing of
abuse of those logos / marks is the only defense.

So my question is whether there is any ongoing work, or if it even makes
sense, for UAs to play a role in secure delivery of such third-party
attestations to users ? (I would expect it to be a long-term project - I'm
not thinking about quick-fixes here).

Thanks in advance,

Mark

Received on Wednesday, 29 April 2015 15:42:02 UTC