On 05/21/2010 07:36 AM, From Matt McCutchen:
That's not right. We are discussing SSL as a /means/ to prevent
impersonation of the site the user wanted to visit. In this context,
a "false positive" is defined as an SSL error when no impersonation is
taking place.
Oh really? And how do you know?
I'm not claiming that the user knows.
And how do YOU know? How does the application know?
If the host name(s) of the certificate doesn't match the accessed site,
this is not a false positive. That's because the certificate was not
issued for that site but for a different one. Or is Matt McCutchen and
Catt McMutchen the same thing?
If the issuer of the certificate doesn't chain to an authority you
trust, it is not a false positive. You can't start a guessing game if
certificate might chain to an authority you considered trustworthy. It's
not such a good idea to trust a certificate just because the issuer is
called Verisign.
There are many more errors obviously...and they are all real.
There absolutely are from the perspective of a user who uses SSL as a
means to prevent impersonation of the site he/she wants to visit,
which describes me and probably most of the public.
That's simply wrong, if an error happens you should not rely on it,
simply as that. You can read any (most) CA policies that disclaim any
warranty and liability if such an error occurs. The CA advices you NOT
to rely on it and you can't make any claims if something bad happens.
I don't care if you or others feel comfortable to access your bank,
Paypal account or whatever even if the browser issues an error, however
for the casual user who represents 99.9% of the user base, these error
messages are very important to protect them.
For a site administrator, having a valid SSL certificate makes it
easier for users to connect securely with current technology (since
they don't have to perform out-of-band verification), and for this
reason I strongly encourage it.
There is only one way for a certificate is valid and this is, if you
trust the issuer. Feel free to add any CA root to your trusted
authorities, but don't expect that Mozilla will add any of them without
proper vetting and compliance procedure.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
