- From: Bjoern Hoehrmann <derhoermi@gmx.net>
- Date: Thu, 17 Oct 2013 00:02:41 +0200
- To: Ralf Skyper Kaiser <skyper@thc.org>
- Cc: www-archive@w3.org
* Ralf Skyper Kaiser wrote: >The summary also contains some (but not all) proposed security solutions >and enhancements for the 'CA Trust Problem' and some general security >enhancement for the deployment of SSL/TLS. > >Comments and feedback are welcome. > >https://thc.org/ssl In section 5.7 I do not quite follow the scenario in which this happens, "In all current web browser implementations a pop-up warns the user of an unknown HTTPS connection attempt. A fingerprint is displayed to the user and the user is encouraged to verify the fingerprint (by magical means) before clicking 'continue'", and I do not recall seeing finger- prints without clicking through dialogs on any certificate error in any browser, and nowdays browsers do not offer detailed information about certificates anymore (IE and Firefox display an error page from which you cannot obtain certificate details, Opera 12.x does display a dialog with details, but it's entirely unusable as it resets the dialog every few seconds) ... anyway, the suggestion "The user should be asked to insert the correct fingerprint" seems rather strange, given the remark about the "magical means" beforehand. Having ordinary users enter some kind of fingerprint anywhere seems to be a non-starter, in any case... In section 6.1, BCPs are RFCs. -- Björn Höhrmann · mailto:bjoern@hoehrmann.de · http://bjoern.hoehrmann.de Am Badedeich 7 · Telefon: +49(0)160/4415681 · http://www.bjoernsworld.de 25899 Dagebüll · PGP Pub. KeyID: 0xA4357E78 · http://www.websitedev.de/
Received on Wednesday, 16 October 2013 22:03:03 UTC