Mike, On 7/18/12 8:54 AM, Mike Belshe wrote: > Show me the user that will stand up and say, "Yes, I would like my > communications to be snoopable and changeable by 3rd parties without > my knowledge." This is a red herring. The real argument is around the ability of all web servers to get certificates that the browser will / should trust, or using a means of trust that doesn't require certificate chains. The server administrator must not be put in a position of having to pay an annual fee to avoid the client warning, because that introduces at least a potential externality in that the server administrator may not value avoiding the warning in the way that you would expect. Certainly the end user doesn't act appropriately against the warning, which is why we're having this discussion[1,2][*]. Eliot [1] Herley, C., “So Long, And No Thanks for the Externalities: The Rational Rejection of Security Advice by Users”, /NSPW’09/, September 8–11, 2009. [2] Edelman, S., et al, “You've been warned: an empirical study of the effectiveness of web browser phishing warnings”,/Proceedings of the twenty-sixth annual SIGCHI conference on Human factors in computing systems/ , 2008. [*] There are probably dozens of citations in this space.Received on Wednesday, 18 July 2012 13:57:00 GMT
This archive was generated by hypermail 2.2.0+W3C-0.50 : Wednesday, 18 July 2012 13:57:07 GMT