W3C home > Mailing lists > Public > www-tag@w3.org > January 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: Anne van Kesteren <annevk@annevk.nl>
Date: Tue, 20 Jan 2015 13:49:05 +0100
Message-ID: <CADnb78gC=44G8dMeAW2mZZu7_=L=S+vJsdGrb49=OhRVM8U5sQ@mail.gmail.com>
To: Charles McCathienevile <chaals@yandex-team.ru>
Cc: Paul Libbrecht <paul@hoplahup.net>, "Henry S. Thompson" <ht@inf.ed.ac.uk>, Mark Nottingham <mnot@mnot.net>, Henri Sivonen <hsivonen@hsivonen.fi>, Chris Palmer <palmer@google.com>, Noah Mendelsohn <nrm@arcanedomain.com>, "Michael[tm] Smith" <mike@w3.org>, Tim Berners-Lee <timbl@w3.org>, Public TAG List <www-tag@w3.org>
On Tue, Jan 20, 2015 at 1:28 PM,  <chaals@yandex-team.ru> wrote:
> 19.01.2015, 15:01, "Anne van Kesteren" <annevk@annevk.nl>:
>> Anything but proper CA certificates is a major attack vector
> This is misleading. "proper CA certificates" is a very ill-defined term.

It seems you missed the earlier email where I established that
non-user installed CAs are vetted. And that as far as Gecko goes (and
I believe Chromium uses a derivative) there's a public vetting process
for CAs: https://wiki.mozilla.org/CA That process is quite well
defined and has seen over a decade of practice.

Received on Tuesday, 20 January 2015 12:49:28 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:09 UTC