On 03/23/2009 10:27 PM, Nelson B Bolyard:
I'd change that last line to this;
Click here to bet your career that this cert is genuine and not a forgery.
I'd suggest that we also display the URL for the user to see before
deciding, but we know that users would click without even looking at it.
Because of the security risks AIAs present to relying parties, I see AIA
as a way to help Subject parties (the people SENDING the certs), not relying
parties (the people receiving and attempting to validate them).
The "security risk" is a big hype, Nelson! Any embedded object in a
simple web page has that risk - https or not. The risk is well
understood for every single web page anybody may visit every day. It's
in my opinion crazy that this is the reason blocking certificate
fetching when the benefit for doing so would be far reaching for the
usability of certificates and secured sites. You must have some
masochistic urge ;-)
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
