Re: Browser security warning from Mary Ellen Zurko on 2007-01-08 (public-wsc-wg@w3.org from January 2007)

From: Mary Ellen Zurko <Mary_Ellen_Zurko@notesdev.ibm.com>
Date: Mon, 8 Jan 2007 08:30:11 -0500
To: "George Staikos <staikos" <staikos@kde.org>
Cc: W3 Work Group <public-wsc-wg@w3.org>
Message-ID: <OF483536F9.9FE68B01-ON8525725D.004A0F36-8525725D.004A2D02@LocalDomain>

I agree that cost is not the biggest issue. Convenience/usability and 
control/policy seem to be much more important. 

          Mez

Mary Ellen Zurko, STSM, IBM Lotus CTO Office       (t/l 333-6389)
Lotus/WPLC Security Strategy and Patent Innovation Architect




George Staikos <staikos@kde.org> 
Sent by: public-wsc-wg-request@w3.org
01/07/2007 03:54 PM

To
W3 Work Group <public-wsc-wg@w3.org>
cc

Subject
Re: Browser security warning








On 27-Dec-06, at 9:20 AM, Stephen Farrell wrote:

> Stuart E. Schechter wrote:
>
>>    I don't think there is a large set of sites that can't afford a 
>> CA cert
>> (category 2) and actually require the security offered by HTTPS.
>
> I don't know of any evidence for that, but would be interested if 
> there
> were some. (Technically, I could also quibble a bit with your 
> statement,
> since we're discussing server-authentication, so I guess you meant an
> SSL-server cert above and HTTPS can also be used with D-H, without
> providing server authentication, though that doesn't get much use.)
>
> (At least in the developed world,) the point is not the actual amount,
> but whether or not to increase the existing bias towards getting
> people to pay commercial CAs for certs or not. Commercial CAs have
> their purpose, but should not IMO be required in order to create a
> perception of security for HTTP traffic. Sometimes they are
> appropriate, sometimes they just add a burden that arguably could
> cause less use of SSL - if its too much hassle to turn it on.

   I think we should aim to avoid talking about costs.  Market 
pressures will solve this problem, and FWIW, the cost of a 
certificate is absolutely miniscule in the scope of the cost of 
operating a site no matter which country that site is located in. 
Home users and non-commercial users can just use their own issuing CA 
or self-signed cert.

--
George Staikos
KDE Developer                                                            
http://www.kde.org/
Staikos Computing Services Inc.                          
http://www.staikos.net/

Received on Monday, 8 January 2007 13:30:17 UTC