- From: Stephen Farrell <stephen.farrell@cs.tcd.ie>
- Date: Wed, 27 Dec 2006 17:20:46 +0000
- To: "Stuart E. Schechter" <ses@ll.mit.edu>
- CC: public-wsc-wg@w3.org
Stuart E. Schechter wrote: > I don't think there is a large set of sites that can't afford a CA cert > (category 2) and actually require the security offered by HTTPS. I don't know of any evidence for that, but would be interested if there were some. (Technically, I could also quibble a bit with your statement, since we're discussing server-authentication, so I guess you meant an SSL-server cert above and HTTPS can also be used with D-H, without providing server authentication, though that doesn't get much use.) (At least in the developed world,) the point is not the actual amount, but whether or not to increase the existing bias towards getting people to pay commercial CAs for certs or not. Commercial CAs have their purpose, but should not IMO be required in order to create a perception of security for HTTP traffic. Sometimes they are appropriate, sometimes they just add a burden that arguably could cause less use of SSL - if its too much hassle to turn it on. > I think the safest default behavior for a browser that receives a > self-signed cert is to show an error page. The message should tell > the user to contact the site's administrator to ask them to fix the > problem. I don't agree that self-signed certs are a problem and would really not like to see such browser behaviour encouraged. The main point is that naively differentiating between a "secure" state (padlock) and an insecure one (no padlock) isn't very effective. I don't believe that changing from that binary approach to an N-ary one, where the N options map to TLS state-machine states will be any more effective. We need a subtler mix... S.
Received on Wednesday, 27 December 2006 17:20:14 UTC