W3C home > Mailing lists > Public > www-tag@w3.org > February 2015

Re: Considering the pressure to turn HTTPS into a three-party protocol

From: Mark Nottingham <mnot@mnot.net>
Date: Mon, 16 Feb 2015 16:31:56 +1100
Cc: "www-tag@w3.org List" <www-tag@w3.org>
Message-Id: <13D87A04-01EC-48B6-BE91-E825EC55594C@mnot.net>
To: Ryan Sleevi <sleevi@google.com>

> On 16 Feb 2015, at 4:12 pm, Ryan Sleevi <sleevi@google.com> wrote:
> 
> On Sun, Feb 15, 2015 at 6:30 PM, Mark Nottingham <mnot@mnot.net> wrote:
> 
>> CA certs and extensions are built into all of the major browsers.
> 
> This is demonstrably not true.
> 
> Chrome (on most platforms), Opera (post-Blink) IE, Safari, and Firefox
> (as packaged by every major Linux distro, but not as distributed by
> Mozilla) all treat CA certificates as part of the OS/operating
> environment, much in the same way that name resolution is.

Of course. I was more referring to the fact that they're available when using all browsers.


> Of those that distribute certs in-band, this is only Firefox (as
> distributed by Mozilla) and Opera (prior to Blink).
> 
> I realize I'm ignoring a large swathe of UAs in that mix, but I think
> if we're going to use terms like "all major browsers", then it's worth
> noting how incorrect this statement is.

Noted. It'd be great if you could address the overall topic, rather than picking at terminology, building straw men, etc...


>> Because this is a question of how the Web is presented to and understood by end users,
> 
> Having the W3C issue findings on how the Web presents security indica
> has historically gone over like a lead balloon (c.f.
> http://www.w3.org/TR/wsc-ui/ )

Yep, I know. W3C has done many things wrong in the past. It's also learned how to do some things right in the meantime.


Cheers,



--
Mark Nottingham   https://www.mnot.net/
Received on Monday, 16 February 2015 05:32:24 UTC

This archive was generated by hypermail 2.3.1 : Monday, 16 February 2015 05:32:24 UTC