On Fri, 2010-05-21 at 04:02 +0300, Eddy Nigg wrote: > On 05/21/2010 03:23 AM, From Matt McCutchen: > > On May 19, 11:28 am, Eddy Nigg<eddy_n...@startcom.org> wrote: > > > >> Well, just for the record, lets get this strait - there are no false > >> positives. I have NEVER encountered an error with a web site and there > >> was no reason for it. Either the certificate was not trusted or the > >> domain did not match or other reasons. Those are real errors, those are > >> not false positives, those are REAL positives. > >> > > That's not right. We are discussing SSL as a /means/ to prevent > > impersonation of the site the user wanted to visit. In this context, > > a "false positive" is defined as an SSL error when no impersonation is > > taking place. > > Oh really? And how do you know?
I'm not claiming that the user knows. I only said that if there is in fact no impersonation, then the error is a false positive. > There are no false positives, it all > boils down to correct or incorrect. There absolutely are from the perspective of a user who uses SSL as a means to prevent impersonation of the site he/she wants to visit, which describes me and probably most of the public. For a site administrator, having a valid SSL certificate makes it easier for users to connect securely with current technology (since they don't have to perform out-of-band verification), and for this reason I strongly encourage it. But you seem to be suggesting that having a valid SSL certificate is an end in itself, which is a view I don't subscribe to. > Anything that is incorrect may not be relied upon because you actually > can't know (from the outset, you might correct and check for the > reasons, but this isn't anybody knows how to do). That's true but beside the point. -- Matt -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
