Kyle Hamilton: > Well, I think I need to ask this question: > > Who are we trying to protect by being part of the EV system? > > Are we trying to protect the sites that have EV certificates? (no) > Are we trying to protect the trust that we're trying to build in the > EV infrastructure? (yes) > Are we trying to protect the CAs and the trust that they're trying to > build? (not really) > Are we trying to protect the Mozilla Foundation? (yes) > > Or are we trying to protect the users who have to deal with sites that > have security exploits pop up? (YES.) > > The overriding concern seems to be to protect the users, and protect > the trust in the EV structure. The fact that in order to do that we > also incidentally have to help the sites with the EV certificates is > secondary, and shouldn't even be a concern. > > Do not cut off the nose to spite the face. Do not try to make a point > that will, by being made, destroy what many people have been trying to > build. >
Well, lets make one thing clear...A company the size of Paypal which handles financial transaction in the billions must take responsibility for their actions. What are you saying here is, that Mozilla must prevent financial damages inflicted (deliberate) by another party! How come? Now it was exactly Paypal which publicly threatened Mozilla to disable support at their web sites for the Firefox browser, because it took here somewhat longer to enable EV support! You can re-read the historic discussions which we held here about if Mozilla should adopt EV and every time the Paypal argument came up, I countered that it will not help a dime because of their sloppy design decisions in their code. Nothing has changed apparently after more then two years. Tomorrow they'll provide perhaps a web form "For phishers enter your URL here" for the convenience of phishers....and then what? Are you suggesting to prevent that as well? Because the URL and query return=http%3A%2F%2Fpaypal-cgi-bin.s6.pl is essentially that! Never mind that the certificate isn't trusted for that web site...but it could easily be. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
