W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Henry S. Thompson <ht@inf.ed.ac.uk>
Date: Mon, 19 Jan 2015 09:56:46 +0000
To: Mark Nottingham <mnot@mnot.net>
Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael\[tm\] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Message-ID: <f5bfvb7um8x.fsf@troutbeck.inf.ed.ac.uk>
Mark Nottingham writes:

> To the latter point -- I still find it remarkable that this is
> extremely common practice:
>    http://ist.mit.edu/certificates
> ... and the OS/browser UX doesn't warn the user of the power granted
> by doing so (last I checked).

I'll bite -- what _should_ the UX say?  That is, what _is_ the risk
(and what is the alternative that MIT should be using)?

The alternative an entity not a million miles away from my desk
uses is to just self-sign and expect us to click through the resulting
warnings. . .

       Henry S. Thompson, School of Informatics, University of Edinburgh
      10 Crichton Street, Edinburgh EH8 9AB, SCOTLAND -- (44) 131 650-4440
                Fax: (44) 131 650-4587, e-mail: ht@inf.ed.ac.uk
                       URL: http://www.ltg.ed.ac.uk/~ht/
 [mail from me _always_ has a .sig like this -- mail without it is forged spam]
Received on Monday, 19 January 2015 09:57:30 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC