Re: Draft finding - "Transitioning the Web to HTTPS" from Marc Fawzi on 2015-02-17 (www-tag@w3.org from February 2015)

From: Marc Fawzi <marc.fawzi@gmail.com>
Date: Tue, 17 Feb 2015 05:10:11 -0800
To: Anne van Kesteren <annevk@annevk.nl>
Cc: Charles McCathienevile <chaals@yandex-team.ru>, Paul Libbrecht <paul@hoplahup.net>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-ID: <CACioZiukToOkx5djkT5mW7AZF0thxbAt7wWnKK2kMbyecXrirQ@mail.gmail.com>

in case some missed this:

http://blogs.msdn.com/b/ie/archive/2015/02/16/http-strict-transport-security-comes-to-internet-explorer.aspx

On Tue, Jan 20, 2015 at 4:49 AM, Anne van Kesteren <annevk@annevk.nl> wrote:

> On Tue, Jan 20, 2015 at 1:28 PM,  <chaals@yandex-team.ru> wrote:
> > 19.01.2015, 15:01, "Anne van Kesteren" <annevk@annevk.nl>:
> >> Anything but proper CA certificates is a major attack vector
> >
> > This is misleading. "proper CA certificates" is a very ill-defined term.
>
> It seems you missed the earlier email where I established that
> non-user installed CAs are vetted. And that as far as Gecko goes (and
> I believe Chromium uses a derivative) there's a public vetting process
> for CAs: https://wiki.mozilla.org/CA That process is quite well
> defined and has seen over a decade of practice.
>
>
> --
> https://annevankesteren.nl/
>
>

Received on Tuesday, 17 February 2015 13:11:21 UTC