AW: AW: AW: WebSocket API: close and error events

> > Does that mean Opera might just _silently_ reject untrusted certs
> > without giving the user a dialog to accept the cert?
> 
> Right.
> 
> > That would be unfortunate IMHO. Since then there is no way to get an
> > acceptable user experience any longer.
> >
> > I can't present a JS created notification and act accordingly, since
> > JS won't be allowed to detect "invalid cert".
> >
> > I can't rely on the browser rendering a builtin dialog for the user to
> > accept the cert.
> >
> > WSS just fails silently.
> >
> > How is a JS app using WSS supposed to create an acceptable user
> > experience?
> 
> By using a cert that isn't rejected.

There are situations when self-signed certs are quite common like on
private networks or where self-signed certs might be "necessary",
like with a software appliance that auto-creates a self-signed cert
on first boot (and the user is too lazy / does not have own CA).

The latter is our deployment scenario.

We won't ship a fresh key / cert created by an official CA with every appliance.

We won't force users to upload such a key/cert before they can use the appliance
with https and wss.

We need a smooth user experience for users to accept permanently the auto-created
self-signed certs for https and wss the appliance uses.

We will offer them a way to upload keys/certs when and if they want to.

Do you think thats an invalid use case / approach?

Received on Tuesday, 25 October 2011 21:12:40 UTC