- From: Johnathan Nightingale <johnath@mozilla.com>
- Date: Thu, 6 Mar 2008 12:26:40 -0500
- To: Thomas Roessler <tlr@w3.org>
- Cc: WSC WG <public-wsc-wg@w3.org>
On 6-Mar-08, at 2:25 AM, Thomas Roessler wrote: > It turns out that sourceforge.net is now using EV certificates (yes, > I noticed the green bar) -- but with a Common Name of > sourceforge.net, not www.sourceforge.net. > > Question, for purposes of the spec: Do we think that any EV > signalling should be present if the user has interactively granted > an exception in a case such as a mismatch between the URI's domain > name and the Common Name? My instinct would be "no"; at least one > current implementation, however, does use that signalling even > though I had to go through an exception dialogue first. My gut would be that no, that "augmented assurance" UI really does presume that the information has been strongly verified, which it hasn't been if there's a mismatch. I also wonder, if you found this in FF3, whether we have bug there, because I think we quite deliberately code against that possibility. It's hard for me to test though: I do have to add the override for www.sourceforge.net , but my attempts to connect there all get redirected back to sourceforge.net (with EV treatment). I can't get www.sourceforge.net to show me EV, because I can't get www.sourceforge.net to show me anything at all. :) Apologies though, this last part is sort of off- topic for the list. Cheers, J --- Johnathan Nightingale Human Shield johnath@mozilla.com
Received on Thursday, 6 March 2008 17:26:58 UTC