[cap-talk] A petname toolbar for Firefox - self signed certs
and warning popups
Ian G
iang at systemics.com
Tue Feb 22 16:08:37 EST 2005
David Wagner wrote:
>Jed writes:
>
>
>>At 07:39 PM 2/18/2005, David Wagner wrote:
>>
>>
>>>[...] use self-signed HTTPS certificates [...]
>>>
>>>
>>I believe the reason more people don't take the above approach is that
>>browsers are configured to complain if the certificate signing authority
>>isn't in their default set. That produces an annoying popup [...]
>>
>>
>
>Yes, absolutely.
>
>
>
>>Who among us wants our users to see such warnings about site
>>misconfiguration or sites pretending to be who they aren't to obtain
>>our confidential information?
>>
>>
>
>Right. That is the practical barrier, and it is a significant one.
>I agree 100%.
>
Unfortunately proceeding along those lines
runs smack bang into "oooo - evil MITMs" and
has no traction in the browser programming
community.
The line I've adopted is that of CA branding,
as somewhat augmented by the logo approach
of A&A and petnames as discussed here.
My view is that however you look at it, this
approach drives us forward to deal with
phishing.
The fact that this also leads us to a point where
SSCs can be dealt with for what they are is
somewhat a side issue in the debate; the
thing to do is to treat the cert - any cert - as
the key to the relationship.
So, if you're following my logic so far, I think
this issue will resolve itself in due course.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
More information about the cap-talk
mailing list