On 05/21/2010 05:51 PM, From Gervase Markham:
On 21/05/10 12:11, Eddy Nigg wrote:
And your whole arguing starts to become ridiculous.
Not at all. He is saying that the browser cannot tell whether a
certificate problem is the result of an attack or the result of a
misconfiguration. And that's absolutely correct. Isn't it?
The browser can say if a certificate chains correctly to a trusted root
for the intended target. This is what it's about, because for everything
else neither the browser nor the user can truly know if there is an
attack or not.
We have only a result that is valid and all the rest. The rest might be
anything from sloppy configuration, invalid certificates to an attack.
Otherwise we'd just not put up errors for the misconfigurations, only
for the attacks :-)
No Sir, because CAs will only warrant for certificates that chained to
their root and are correctly installed and not revoked. The rest is
pretty irrelevant from my point of view - the rest can be all attacks
and we don't know.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
