Like in other parts of society people will rely on imperfect chains of trust to make social and economical life possible; there is an underlying eco system of trust that most people use in good faith without reflection.
As Melih stated authentication is about a legal paper trail. OV or EV cert are like registering to a chamber of commerce for a business. It provides a paper trail and may therefor make it a company more likely to be trustworthy. As in technion’s example it’s not a guarantee illegal activities will not happen but make it less likely.
Because most users will not check the cert information does neither make authentication less necessary nor make it less desirable because they help to constitute an eco system of trust
My1 seems to to be looking for absolute trust and shows various other chains of technological trust which also cannot provide absolute trust because nothing can provide absolute trust.
In the quoted post he now tries to discredit authentication because average users will not check. You can’t have it both ways. On the one hand you want authentication what it cannot provide; absolute trust. On the other hand you argue it is not of value because most users will not check certs.
My1 is having a hard time living with chains of trust which are neither based on absolute guarantees nor are able to provide absolute trust. Because authentication cannot provide absolute trust he then rather discredits it. He rather seems to have a no trust ecosystem rather than non perfect one. :-\
Now here is an area I agree with you when you say ‘because the average person does probably not know how to check the cert info’.
But why should they need to know how to check the certificate?
I have always been of the opinion that ‘user education’ must occur for all browser users to understand what they are seeing with regard to security on a website.
The way EV certificates initiate a green bar is a small step towards giving a visual aid to trust.
But, each browser is slightly different in the way it shows that an EV certificate is used.
That needs to change and be standardised.
So, reading your quoted post, what you want is the browser to show the user in a ‘simple to understand’ method how much they should trust the site based on the type of certificate used?
I could be wrong, I have been in the past and will be again in the future
We all have doors at home…we all know they can be broken…but we still have it…100% perfection doesn’t exist…good enough is what we are aiming for…removing good enough and replacing it with nothing is like everyone removing their doors because it can be broken.