Eddy Nigg (StartCom Ltd.) wrote: [...] > Jeremy, I think one of the problems with self-signed certificates is > what I call "warning-popup-click-away-effect". People simply got used to > click through the warnings, which in some way deflated the SSL > authentication model further (speaking here only about domain validated > authentication - identity or organization validation is yet another > issue). Would the casual user have the means and knowledge to differ > between self-signed and CA issued certificates - like you and me most > likely do, the problem wouldn't be such. However this is not the case > and therefore the steps taken by Mozilla I guess.
Well, I think if FF3 switches completely to the new identity info model as proposed in bug #, then hopefully yes they will. Basically, if there aint a big green section in the URLbar with a name you trust in it, don't use it for, say, online banking. However what I'd like to avoid is a warning popup when you're using a self-signed cert. I certainly don't see them as *less* secure than HTTP. > Considering the effect it will have on the millions of casual users - it > dwarfs the negative effect it has on web site owners who prefered to use > self-signed certificates. But I invite you to read an article I wrote > not long ago at https://blog.startcom.org/?p=33 which gives some heads > up. Certainly nothing is guaranteed forever, but provides an alternative > to self-signed certificates today. Just my two cents... Interesting, but in that blog you merely state that you will do it for free; you don't say how. :-) Care to elabourate? I guess you, like most companies offering stuff for free, do it by having low costs, getting big donations, and people buying more 'advanced' products? Best regards, Jeremy Morton (Jez) _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
