W3C home > Mailing lists > Public > public-wsc-wg@w3.org > January 2007

RE: Uses for self-signed certificates (Was: Browser security warning)

From: Hallam-Baker, Phillip <pbaker@verisign.com>
Date: Tue, 9 Jan 2007 07:57:44 -0800
Message-ID: <198A730C2044DE4A96749D13E167AD370105A128@MOU1WNEXMB04.vcorp.ad.vrsn.com>
To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
Cc: "W3 Work Group" <public-wsc-wg@w3.org>

Another option here is SSL upgrade within HTTP.

This might be an area where this type of capability is more appropriately handled. Get away from the HTTP:// HTTPS:// issue entirely

 

> -----Original Message-----
> From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
> Sent: Tuesday, January 09, 2007 9:42 AM
> To: Hallam-Baker, Phillip
> Cc: W3 Work Group
> Subject: Re: Uses for self-signed certificates (Was: Browser 
> security warning)
> 
> 
> 
> Hallam-Baker, Phillip wrote:
> > I think that this comes down to the poorly considered 
> semantics of the padlock icon. "Its encrypted" vs "It safe". 
> 
> Tend to agree, but its easy for us to be wise after the fact 
> of course.
> 
> > I have no problem turning on SSL any time at all provided 
> that the user is not given a false sense of security. Don't 
> show the padlock, maybe warn if the user actually typed in https://.
> 
> In this use case, the content is both encrypted and, "secure,"
> for many reasonable definitions of secure.
> 
> That does not mean that all content accessed via a TLS 
> session that uses a self-signed cert is the same - but hey, 
> that's the point of the use case!
> 
> S.
> 
> 
Received on Tuesday, 9 January 2007 17:14:14 UTC

This archive was generated by hypermail 2.3.1 : Tuesday, 6 January 2015 21:14:13 UTC