Re: Uses for self-signed certificates (Was: Browser security warning) from Thomas Roessler on 2007-01-09 (public-wsc-wg@w3.org from January 2007)

From: Thomas Roessler <tlr@w3.org>
Date: Tue, 9 Jan 2007 18:21:21 +0100
To: "Hallam-Baker, Phillip" <pbaker@verisign.com>
Cc: Stephen Farrell <stephen.farrell@cs.tcd.ie>, W3 Work Group <public-wsc-wg@w3.org>
Message-ID: <20070109172121.GB21007@raktajino.does-not-exist.org>

The protocol side of this is important, but heavily out of scope
here.  The display of security context information when
opportunistic encryption is used, however, strikes me as in-scope.

Cheers,
-- 
Thomas Roessler, W3C  <tlr@w3.org>






On 2007-01-09 07:57:44 -0800, Phillip Hallam-Baker wrote:
> From: "Hallam-Baker, Phillip" <pbaker@verisign.com>
> To: Stephen Farrell <stephen.farrell@cs.tcd.ie>
> Cc: W3 Work Group <public-wsc-wg@w3.org>
> Date: Tue, 9 Jan 2007 07:57:44 -0800
> Subject: RE: Uses for self-signed certificates (Was: Browser security  warning)
> List-Id: <public-wsc-wg.w3.org>
> X-Spam-Level: 
> X-Archived-At: http://www.w3.org/mid/198A730C2044DE4A96749D13E167AD370105A128@MOU1WNEXMB04.vcorp.ad.vrsn.com
> 
> 
> Another option here is SSL upgrade within HTTP.
> 
> This might be an area where this type of capability is more appropriately handled. Get away from the HTTP:// HTTPS:// issue entirely
> 
>  
> 
> > -----Original Message-----
> > From: Stephen Farrell [mailto:stephen.farrell@cs.tcd.ie] 
> > Sent: Tuesday, January 09, 2007 9:42 AM
> > To: Hallam-Baker, Phillip
> > Cc: W3 Work Group
> > Subject: Re: Uses for self-signed certificates (Was: Browser 
> > security warning)
> > 
> > 
> > 
> > Hallam-Baker, Phillip wrote:
> > > I think that this comes down to the poorly considered 
> > semantics of the padlock icon. "Its encrypted" vs "It safe". 
> > 
> > Tend to agree, but its easy for us to be wise after the fact 
> > of course.
> > 
> > > I have no problem turning on SSL any time at all provided 
> > that the user is not given a false sense of security. Don't 
> > show the padlock, maybe warn if the user actually typed in https://.
> > 
> > In this use case, the content is both encrypted and, "secure,"
> > for many reasonable definitions of secure.
> > 
> > That does not mean that all content accessed via a TLS 
> > session that uses a self-signed cert is the same - but hey, 
> > that's the point of the use case!
> > 
> > S.
> > 
> > 
> 
>

Received on Tuesday, 9 January 2007 17:20:42 UTC