- From: Zhong Yu <zhong.j.yu@gmail.com>
- Date: Wed, 18 Jul 2012 12:01:23 -0500
- To: "Adrien W. de Croy" <adrien@qbik.com>
- Cc: "ietf-http-wg@w3.org" <ietf-http-wg@w3.org>
On Tue, Jul 17, 2012 at 10:25 PM, Adrien W. de Croy <adrien@qbik.com> wrote: > What about the other hundreds of millions of us running web servers. You > gonna buy us our certs? Agreed. It's absolutely impractical to mandate officially signed certs on every website. That's a huge hurdle for small sites; and all big sites started from small sites. --- Here's a related story that's very interesting. Self signed certs are used by the official ticket booking site of Ministry of Railways of China. Apparently they want to save a few bucks. Customers are asked to download and install an untrusted root cert from its website. From average user's point of view, that makes sense - if you do more work, that got to increase security, right? Almost everybody in China take trains, this root cert must have been installed widely. http://www.12306.cn "To ensure a smooth booking experience, please download and install the root certificate" http://www.12306.cn/mormhweb/kyfw/question/201204/t20120427_2115.html FAQ > Security Alert When a user tries to log in, often he/she will see IE security warnings ... That's because the user has not imported the root certificate shown on the home page ... To navigate the site smoothly, simply follow the instructions and import the root certificate. the root cert and instructions: http://www.12306.cn/mormhweb/ggxxfw/wbyyzj/201106/srca12306.zip a cert signed by the root cert https://dynamic.12306.cn
Received on Wednesday, 18 July 2012 17:01:51 UTC