- From: Serge Egelman <egelman@cs.cmu.edu>
- Date: Tue, 31 Jul 2007 18:55:16 -0400
- To: "Yngve N. Pettersen" <yngve@opera.com>, pbaker@verisign.com, public-wsc-wg@w3.org
I was also looking into this earlier. From what I gather by reading the sources of VeriSign's extension for Firefox (I suspect Phill can confirm), the OIDs are stored statically in the browser (or the extension in this case). I assume inclusion is determined solely at the discretion of the browser vendor. I suspect the EV cabal chose to do it this way, rather than creating a new EV extension, so that other CAs couldn't simply get users to add new EV roots to their browsers manually. Of course this threat model still exists if browsers allow extensions to create similar or identical EV indicators. serge Thomas Roessler wrote: > In other words, we're not dealing with a machine-readable property > of trust anchors, but with an property essentially signalled > out-of-band. > > Doesn't strike me as particularly scalable, and I suspect Stephen > will have comments on Monday. :) > -- /* Serge Egelman PhD Candidate Vice President for External Affairs, Graduate Student Assembly Carnegie Mellon University Legislative Concerns Chair National Association of Graduate-Professional Students */
Received on Tuesday, 31 July 2007 22:56:10 UTC