* Eddy Nigg: > On 12/27/2008 05:38 PM, Florian Weimer: >>> Isn't that, by itself, a very good reason to take immediate action? >>> Security should be default-fail rather than default-pass. >> >> This is not about security, this is about the presence or absence of >> an obscure browser warning. > > Huuu? Have you understood the issue at all?
I think so. > I'm not sure...however it's not about browser warnings. This is > about security proper. As a downstream distributor of Mozilla code, I'd hate to roll out updates (especially security updates) just because CAs start to play games with each other. This is not about "security proper". You're trying to pull us into a PR attack on one of your competitors, thereby willingly reducing confidence in ecommerce. (I'm exaggerating a bit, of course.) > Or how else would you explain an MITM attack? If users edit /etc/hosts to complete the attack, it's their fault. Even if you've got the certificate, you need to attack IP routing or DNS. If you can do that, chances are that you can mount this attack against one of the domain-validating RAs, and still receive a certificate. So the browser PKI is currently irrelevant for practical purposes (beyond CA revenues and giving users a warm, fuzzy feeling), even if everybody follows established RA procedures. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
