- From: Eric Mill <eric@konklone.com>
- Date: Mon, 16 Feb 2015 02:04:00 -0500
- To: Ryan Sleevi <sleevi@google.com>
- Cc: www-tag@w3.org
On Mon, Feb 16, 2015 at 12:25 AM, Ryan Sleevi <sleevi@google.com> wrote: > For every browser but Firefox (as distributed by Mozilla), installing > a root certificate is the same as installing/executing a native > application. It's a choice the user makes to modify their OS. The > browser fully hands off this decision to the OS, as it does all > executable files, to let the OS make its decisions. Handing off root certificate installation to the underlying OS is an implementation decision that the browser makes. Mozilla's Firefox is just the only example of a browser that made a different choice. That's what makes certificate installation different than downloading a binary to your computer. You're not installing a binary _into your browser_. There's a highly managed extension workflow for that. When you use your browser to install a certificate, the conceptual action taking place is that you're installing a certificate _into your browser_. That many browsers use the conveniently available OS workflow for doing that makes engineering sense, and removes responsibility from the browser. However, it could be that one of the outcomes of talking about the browser's role in three-party HTTPS is to label that removal of responsibility as an abdication. -- Eric -- konklone.com | @konklone
Received on Monday, 16 February 2015 07:05:11 UTC