Re: Should EV signalling be in place if the user granted an exception? from Yngve Nysaeter Pettersen on 2008-03-06 (public-wsc-wg@w3.org from March 2008)

From: Yngve Nysaeter Pettersen <yngve@opera.com>
Date: Thu, 06 Mar 2008 18:48:43 +0100
To: "Johnathan Nightingale" <johnath@mozilla.com>, "Thomas Roessler" <tlr@w3.org>
Cc: "WSC WG" <public-wsc-wg@w3.org>
Message-ID: <op.t7lvrha7vqd7e2@killashandra-ii.oslo.opera.com>

On Thu, 06 Mar 2008 18:26:40 +0100, Johnathan Nightingale  
<johnath@mozilla.com> wrote:

>
> On 6-Mar-08, at 2:25 AM, Thomas Roessler wrote:
>> It turns out that sourceforge.net is now using EV certificates (yes,
>> I noticed the green bar) -- but with a Common Name of
>> sourceforge.net, not www.sourceforge.net.
>>
>> Question, for purposes of the spec: Do we think that any EV
>> signalling should be present if the user has interactively granted
>> an exception in a case such as a mismatch between the URI's domain
>> name and the Common Name?  My instinct would be "no"; at least one
>> current implementation, however, does use that signalling even
>> though I had to go through an exception dialogue first.
>
>
> My gut would be that no, that "augmented assurance" UI really does  
> presume that the information has been strongly verified, which it hasn't  
> been if there's a mismatch.

I agree there.

> I also wonder, if you found this in FF3, whether we have  bug there,  
> because I think we quite deliberately code against that possibility.  
> It's hard for me to test though: I do have to add the override for  
> www.sourceforge.net, but my attempts to connect there all get redirected  
> back to sourceforge.net (with EV treatment).  I can't get  
> www.sourceforge.net to show me EV, because I can't get  
> www.sourceforge.net to show me anything at all.  :)  Apologies though,  
> this last part is sort of off-topic for the list.

I haven't checked the sourceforge certificate in my EV builds yet, but I  
don't think I have to: It gets a level zero treatment because they are  
mixing in an unsecure external script (at present the "jobs" section).

Update: Actually, it looks like it is even worse than I indicated above. I  
just looked at source of the site as loaded by IE7, and it is sending the  
external CSS over HTTP, and lots of more unsecure external scripts, as  
well.


-- 
Sincerely,
Yngve N. Pettersen
********************************************************************
Senior Developer		                 Email: yngve@opera.com
Opera Software ASA                   http://www.opera.com/
Phone:  +47 24 16 42 60              Fax:    +47 24 16 40 01
********************************************************************

Received on Thursday, 6 March 2008 17:51:29 UTC