W3C home > Mailing lists > Public > www-tag@w3.org > February 2015

Re: Considering the pressure to turn HTTPS into a three-party protocol

From: Ryan Sleevi <sleevi@google.com>
Date: Sun, 15 Feb 2015 21:12:13 -0800
Message-ID: <CACvaWvahQNBJU2LhZXocEh1qLh7RjrKPqmsXLc_W2yzrsRqB_Q@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: "www-tag@w3.org List" <www-tag@w3.org>
On Sun, Feb 15, 2015 at 6:30 PM, Mark Nottingham <mnot@mnot.net> wrote:

> CA certs and extensions are built into all of the major browsers.

This is demonstrably not true.

Chrome (on most platforms), Opera (post-Blink) IE, Safari, and Firefox
(as packaged by every major Linux distro, but not as distributed by
Mozilla) all treat CA certificates as part of the OS/operating
environment, much in the same way that name resolution is.

Of those that distribute certs in-band, this is only Firefox (as
distributed by Mozilla) and Opera (prior to Blink).

I realize I'm ignoring a large swathe of UAs in that mix, but I think
if we're going to use terms like "all major browsers", then it's worth
noting how incorrect this statement is.

> Because this is a question of how the Web is presented to and understood by end users,

Having the W3C issue findings on how the Web presents security indica
has historically gone over like a lead balloon (c.f.
http://www.w3.org/TR/wsc-ui/ )
Received on Monday, 16 February 2015 05:12:41 UTC

This archive was generated by hypermail 2.3.1 : Monday, 16 February 2015 05:12:41 UTC