W3C home > Mailing lists > Public > www-tag@w3.org > June 2015

Re: Draft finding - "Transitioning the Web to HTTPS"

From: timeless <timeless@gmail.com>
Date: Sun, 14 Jun 2015 13:40:38 -0400
Message-ID: <CACsW8eFN-OsXdzKkoiNAPk=Fa3w-pVTd1p0SLAPa0jgTnbei1Q@mail.gmail.com>
To: Mark Nottingham <mnot@mnot.net>
Cc: Public TAG List <www-tag@w3.org>
Mark Nottingham wrote:
> That’s a good question. I’m not a UX person, and don’t pretend to be one.
> My issue is that the user isn’t warned at all, and the default — power to MITM — is surprising,
> unless you understand how PKI works.

> In a perfect world, browser trust stores would only allow CAs to be installed if they have name constraints (perhaps respecting the public suffix list).
> Since that horse has already bolted, it’s more difficult.

I don't think it's intractable [1].

[1] https://lists.w3.org/Archives/Public/www-tag/2015Jun/0007.html
Received on Sunday, 14 June 2015 17:41:10 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 22:57:12 UTC