- From: Hallam-Baker, Phillip <pbaker@verisign.com>
- Date: Tue, 9 Jan 2007 07:57:44 -0800
- To: "Stephen Farrell" <stephen.farrell@cs.tcd.ie>
- Cc: "W3 Work Group" <public-wsc-wg@w3.org>
Another option here is SSL upgrade within HTTP. This might be an area where this type of capability is more appropriately handled. Get away from the HTTP:// HTTPS:// issue entirely > -----Original Message----- > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] > Sent: Tuesday, January 09, 2007 9:42 AM > To: Hallam-Baker, Phillip > Cc: W3 Work Group > Subject: Re: Uses for self-signed certificates (Was: Browser > security warning) > > > > Hallam-Baker, Phillip wrote: > > I think that this comes down to the poorly considered > semantics of the padlock icon. "Its encrypted" vs "It safe". > > Tend to agree, but its easy for us to be wise after the fact > of course. > > > I have no problem turning on SSL any time at all provided > that the user is not given a false sense of security. Don't > show the padlock, maybe warn if the user actually typed in https://. > > In this use case, the content is both encrypted and, "secure," > for many reasonable definitions of secure. > > That does not mean that all content accessed via a TLS > session that uses a self-signed cert is the same - but hey, > that's the point of the use case! > > S. > >
Received on Tuesday, 9 January 2007 17:14:14 UTC