David E. Ross:
I visit some Web sites with self-signed certificates. None of those sites request any input from me. The only reason they have site certificates is that the site owners want to show off how technically astute they are. Hah! However, those sites do indeed contain information that I want. I definitely do not want to be locked out of them.
Connect to plain text then.
I have also visited sites with incorrectly configured site certificates. In at least one situation, the owner decided to change the domain name without getting a new certificate for the new domain. In several cases, intermediate certificates were not installed, contrary to explicit instructions from the certificate authorities. I definitely do not want to be locked out of these sites either.
When the visitor statistics suddenly goes down, web site owners will take action. Besides that I think Firefox MUST do a better job in case of missing CA certificates in the chain (yes, I'd prefer it also otherwise, but it's a too common error to ignore).
In the end of the day, 98% of the time you'll be able to connect in plain http. For the other 2% there must be a way to visit that site - for you and other savvy users. Not for 99.9% of the users however. They should not visit such sites because they don't have the knowledge to differentiate between an attack and carelessness.
Requiring a change to about:config would facilitate your needs (because you have the knowledge to do both - change the config and know what it means), while still protecting the standard user who neither cares about security nor has any clue what certificates are.
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
