- From: Yngve N. Pettersen (Developer Opera Software ASA) <yngve@opera.com>
- Date: Sat, 10 Feb 2007 00:12:02 +0100
- To: "Thomas Roessler" <tlr@w3.org>
- Cc: "public-wsc-wg@w3.org" <public-wsc-wg@w3.org>
On Fri, 09 Feb 2007 23:28:39 +0100, Thomas Roessler <tlr@w3.org> wrote: > > On 2007-02-09 01:13:27 +0100, Yngve N. Pettersen (Developer Opera > Software ASA) wrote: > >> If more than one warning is necessary the most severe is >> identified by the dialog, and the rest are listed in a list in >> the dialog. > >> These problems can be resolved for the rest of the session, but >> unless they can be solved by installing certificates in the >> database (or on the server) the warning will be display next time >> Opera has been reset. > > Playing around a bit with Opera 9 here, it looks as if Opera keeps > state about unsafe certificates visible when the user overrides; > interestingly, it doesn't go the additional step of telling me "but > you chose to accept this certificate." We are looking at improving the information displayed in the security toolbar and the associated dialog, and the information used for the security toolbar dialog contains information about why the security level is low, but not all of that information is currently available in the dialog. The information is also available through a link in the Info panel, although some of it is only encoded as XML tags that are not normally visible (I expect that a customized stylesheet would be able to turn them visible). >> The user can also specify a preference for a certificate in the >> root store that makes Opera warn whenever a certificate is part >> of a certificate's chain. This is the default whenever a >> certificate is installed by downloading (but not when installing >> from a unknown root dialog). > > Do you have any data whether people actually use that option? AFAIK we don't have any data, but I don't think there are many who use it, but it is an option that is available for advanced users. >> "The signatures of this certificate could not be verified. While >> this can be caused by the issuer using the wrong method to sign >> the certificate, it can also be caused by attempts to modify or >> fake the certificate." > > I take it that this is considered a fatal error that does not permit > a user override? That is correct. It causes a bugreport or a support request now and then when the certificate in question is using the selfsigned-but-not-really-selfsigned chain I described. >> The user can also, in addition to the certificate warning >> preference mentioned above, specify that all access to sites >> using a specific certificate in the root store is forbidden. This >> will be indicated by a error specifying the certificate is valid >> but access is forbidden. > > Once again, I'd be curious to learn to what extent that feature is > actually in use. As with the warning, I do not think many users use this flag, but again it is available for advanced users. However, we have used it for some of the embedded roots when the roots are not used for webserver certificates, but only for personal certificates (these also get the warn-flag). For that purpose it is becoming obsolete since all or most CAs now use extensions to indicate the permitted use of a certificate. These flags can be used by a user that for some reason do not trust certificate authority. -- Sincerely, Yngve N. Pettersen ******************************************************************** Senior Developer Email: yngve@opera.com Opera Software ASA http://www.opera.com/ Phone: +47 24 16 42 60 Fax: +47 24 16 40 01 ********************************************************************
Received on Friday, 9 February 2007 23:12:26 UTC