Re: Considering the pressure to turn HTTPS into a three-party protocol

> On 16 Feb 2015, at 4:12 pm, Ryan Sleevi <sleevi@google.com> wrote:
> 
> On Sun, Feb 15, 2015 at 6:30 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
>> CA certs and extensions are built into all of the major browsers.
> 
> This is demonstrably not true.
> 
> Chrome (on most platforms), Opera (post-Blink) IE, Safari, and Firefox
> (as packaged by every major Linux distro, but not as distributed by
> Mozilla) all treat CA certificates as part of the OS/operating
> environment, much in the same way that name resolution is.

Of course. I was more referring to the fact that they're available when using all browsers.


> Of those that distribute certs in-band, this is only Firefox (as
> distributed by Mozilla) and Opera (prior to Blink).
> 
> I realize I'm ignoring a large swathe of UAs in that mix, but I think
> if we're going to use terms like "all major browsers", then it's worth
> noting how incorrect this statement is.

Noted. It'd be great if you could address the overall topic, rather than picking at terminology, building straw men, etc...


>> Because this is a question of how the Web is presented to and understood by end users,
> 
> Having the W3C issue findings on how the Web presents security indica
> has historically gone over like a lead balloon (c.f.
> http://www.w3.org/TR/wsc-ui/ )

Yep, I know. W3C has done many things wrong in the past. It's also learned how to do some things right in the meantime.


Cheers,



--
Mark Nottingham   https://www.mnot.net/

Received on Monday, 16 February 2015 05:32:24 UTC