W3C home > Mailing lists > Public > public-wsc-wg@w3.org > April 2007

Re: No Padlock OID

From: Mike Beltzner <beltzner@mozilla.com>
Date: Sun, 22 Apr 2007 17:46:18 +0000
Message-ID: <1251863404-1177264044-cardhu_blackberry.rim.net-1884834-@bwe017-cell00.bisx.prod.on.blackberry>
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>, public-wsc-wg-request@w3.org, public-wsc-wg@w3.org
I am all for detatching the concepts of encryption and safety. Johnathan Nightingale and I have been casually talking about this. His blog posts on shifting the primary user facing signals to be about identity instead of security illustrate our current thinking. 

cheers,
mike 
  

-----Original Message-----
From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Date: Sun, 22 Apr 2007 07:01:13 
To:<public-wsc-wg@w3.org>
Subject: No Padlock OID

One of the main problems we face with certificates is that the padlock conflates encryption and authentication. 
  
There are many applications where we want encryption but we do not want to authenticate the certificate subject beyond domain level assurance, in VeriSign terms a class 1 certificate, SSL is normally class 3 or 3+EV. 
  
Would the browser providers be prepared to support an OID which would disable the padlock display? Such a certificate would respond to https and turn on encryption, but without a padlock. 
  
  
The objective here is to support embedded devices like coffee pots and house cleaning robots where we want communication to the device to be encrypted but not pay for the level of authentication that would be required to issue a merchant certificate. 
  
 
Received on Sunday, 22 April 2007 17:47:36 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:47 GMT