- From: Tobias Oberstein <tobias.oberstein@tavendo.de>
- Date: Tue, 25 Oct 2011 14:11:58 -0700
- To: Simon Pieters <simonp@opera.com>, Ian Hickson <ian@hixie.ch>
- CC: "public-webapps@w3.org" <public-webapps@w3.org>
> > Does that mean Opera might just _silently_ reject untrusted certs > > without giving the user a dialog to accept the cert? > > Right. > > > That would be unfortunate IMHO. Since then there is no way to get an > > acceptable user experience any longer. > > > > I can't present a JS created notification and act accordingly, since > > JS won't be allowed to detect "invalid cert". > > > > I can't rely on the browser rendering a builtin dialog for the user to > > accept the cert. > > > > WSS just fails silently. > > > > How is a JS app using WSS supposed to create an acceptable user > > experience? > > By using a cert that isn't rejected. There are situations when self-signed certs are quite common like on private networks or where self-signed certs might be "necessary", like with a software appliance that auto-creates a self-signed cert on first boot (and the user is too lazy / does not have own CA). The latter is our deployment scenario. We won't ship a fresh key / cert created by an official CA with every appliance. We won't force users to upload such a key/cert before they can use the appliance with https and wss. We need a smooth user experience for users to accept permanently the auto-created self-signed certs for https and wss the appliance uses. We will offer them a way to upload keys/certs when and if they want to. Do you think thats an invalid use case / approach?
Received on Tuesday, 25 October 2011 21:12:40 UTC