At 05:07 AM 9/30/99 , Ben Laurie wrote:
>I know that it I then click on the
> > key-or-lock-or-whatever icon (or otherwise request security info for the
> > current page) .... However, ignoring the requestable
> > security info, what authentication does the browser do of the URL
> > itself?
>
>What do you mean "ignoring the requestable security info"? If you ignore
>that, you aren't doing SSL. You know you are getting data from fudco.com
>because they have a certificate that says so.
I meant, the human not interactively requesting security info about the page, or ignoring what he reads if he does. I wanted to separate the authentication offered through this info-about-the-page interface from that required (by a conforming implementation) to dereference the URL itself. From your response, it sounds like the browser is obligated to do the right thing. Now we need to ask what CAs claim to certify.
The reason I asked is that my model of what CA's (like Verisign) do is mostly authenticate (weakly) the correspondence between a key and an email address and/or a real world name. Do they also claim to authenticate the correspondence between a key and domain name ownership? If the answer to this is adequate, I'd say the Droplets capability/URL idea is home free!
It case it isn't clear to anyone, I am asking these questions from a vast pool of ignorance. Thanks for your indulgence.
Cheers,
--MarkM