- From: Mark Nottingham <mnot@mnot.net>
- Date: Mon, 19 Jan 2015 21:12:28 +1100
- To: "Henry S. Thompson" <ht@inf.ed.ac.uk>
- Cc: Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
Hi Henry, > On 19 Jan 2015, at 8:56 pm, Henry S. Thompson <ht@inf.ed.ac.uk> wrote: > > Mark Nottingham writes: > >> To the latter point -- I still find it remarkable that this is >> extremely common practice: >> http://ist.mit.edu/certificates >> ... and the OS/browser UX doesn't warn the user of the power granted >> by doing so (last I checked). > > I'll bite -- what _should_ the UX say? That is, what _is_ the risk > (and what is the alternative that MIT should be using)? That’s a good question. I’m not a UX person, and don’t pretend to be one. My issue is that the user isn’t warned at all, and the default — power to MITM — is surprising, unless you understand how PKI works. In a perfect world, browser trust stores would only allow CAs to be installed if they have name constraints (perhaps respecting the public suffix list). Since that horse has already bolted, it’s more difficult. > The alternative an entity not a million miles away from my desk > uses is to just self-sign and expect us to click through the resulting > warnings. . . Cheers, -- Mark Nottingham https://www.mnot.net/
Received on Monday, 19 January 2015 10:12:59 UTC