W3C home > Mailing lists > Public > public-wsc-wg@w3.org > July 2007

Re: ACTION-272: self-signed certificates

From: Thomas Roessler <tlr@w3.org>
Date: Mon, 30 Jul 2007 18:03:32 -0400
To: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Cc: public-wsc-wg@w3.org
Message-ID: <20070730220332.GG2974@raktajino.does-not-exist.org>

On 2007-07-30 17:24:18 -0400, Mary Ellen Zurko wrote:

> I'm unclear how this interacts with other proposals in terms of
> inputting data (particularly login credentials) the first few
> times I visit such a site. It sounds like the recommendation
> would make them look totally unidentified. Is that right? 

Yes, similar to Phil's "no-interaction" proposal:

  http://www.w3.org/2006/WSC/wiki/RecommendationDisplayProposals/NoSecurityIndicator

The additional idea in the self-signed certificate proposal is to
actually turn on the indicators after a whlie, and maybe even warn
(or block) if a self-signed certificate is changed.

There would also be a block page if a user hits a site for which a
CA has been used in the past, but for which he now encounters a
self-signed certificate.

> I think I'd need to consider this in the context of, say,
> Identity Signal to understand the impact and implications.

Indeed.

-- 
Thomas Roessler, W3C  <tlr@w3.org>
Received on Monday, 30 July 2007 22:03:41 GMT

This archive was generated by hypermail 2.2.0+W3C-0.50 : Tuesday, 5 February 2008 03:52:50 GMT