W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2007

Re: Browser security warning

From: George Staikos <staikos@kde.org>
Date: Sun, 7 Jan 2007 12:54:47 -0800
Message-Id: <09408CC6-9BAF-4F93-92CE-A7DC341E263B@kde.org>
To: W3 Work Group <public-wsc-wg@w3.org>


On 27-Dec-06, at 9:20 AM, Stephen Farrell wrote:

> Stuart E. Schechter wrote:
>
>>    I don't think there is a large set of sites that can't afford a  
>> CA cert
>> (category 2) and actually require the security offered by HTTPS.
>
> I don't know of any evidence for that, but would be interested if  
> there
> were some. (Technically, I could also quibble a bit with your  
> statement,
> since we're discussing server-authentication, so I guess you meant an
> SSL-server cert above and HTTPS can also be used with D-H, without
> providing server authentication, though that doesn't get much use.)
>
> (At least in the developed world,) the point is not the actual amount,
> but whether or not to increase the existing bias towards getting
> people to pay commercial CAs for certs or not. Commercial CAs have
> their purpose, but should not IMO be required in order to create a
> perception of security for HTTP traffic. Sometimes they are
> appropriate, sometimes they just add a burden that arguably could
> cause less use of SSL - if its too much hassle to turn it on.

   I think we should aim to avoid talking about costs.  Market  
pressures will solve this problem, and FWIW, the cost of a  
certificate is absolutely miniscule in the scope of the cost of  
operating a site no matter which country that site is located in.   
Home users and non-commercial users can just use their own issuing CA  
or self-signed cert.

--
George Staikos
KDE Developer				http://www.kde.org/
Staikos Computing Services Inc.		http://www.staikos.net/
Received on Sunday, 7 January 2007 20:55:25 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:13 UTC