On May 21, 1:46 am, Kurt Seifried k...@seifried.org wrote:
m...@mattmccutchen.net wrote:
I'm not claiming that the user knows. I only said that if there is in
fact no impersonation, then the error is a false positive.
[...]
For you to claim that the browser should be able to determine the
On 05/21/2010 06:12 AM, From Kyle Hamilton:
The way that commercial certifying authorities have gone about
things thus far is completely antithetical to how business is
transacted on the commercial internet. (hint: banks require *two*
forms of ID in order to open a bank account, and CAs provide
On 05/21/2010 07:36 AM, From Matt McCutchen:
That's not right. We are discussing SSL as a /means/ to prevent
impersonation of the site the user wanted to visit. In this context,
a false positive is defined as an SSL error when no impersonation is
taking place.
Oh really? And how do
On 05/21/2010 08:46 AM, From Kurt Seifried:
For you to claim that the browser should be able to determine the
intent of a self signed and unknown certificate (i.e. is it
legitimate, or a man in the middle) without any external help
represents a failing is to show a pretty fundamental lack of
On 21/05/10 12:11, Eddy Nigg wrote:
And your whole arguing starts to become ridiculous.
Not at all. He is saying that the browser cannot tell whether a
certificate problem is the result of an attack or the result of a
misconfiguration. And that's absolutely correct. Isn't it?
Otherwise
On 21/05/10 05:36, Matt McCutchen wrote:
I'm not claiming that the user knows. I only said that if there is in
fact no impersonation, then the error is a false positive.
This seems a fine definition to me.
If the browser says OMG - someone might be trying to MITM you, and
no-one is, that's
On 5/21/2010 9:51 AM, Gervase Markham wrote:
Otherwise we'd just not put up errors for the misconfigurations, only
for the attacks :-)
Is there an open bug for support of RFC 3514?
http://tools.ietf.org/html/rfc3514
- Marsh
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
intent of a self signed and unknown certificate (i.e. is it
legitimate, or a man in the middle) without any external help
represents a failing is to show a pretty fundamental lack of
understanding as to how this all works.
Once again, I make no such claim. I said that if there is in
On 05/21/2010 07:52 AM, Gervase Markham wrote:
On 21/05/10 05:36, Matt McCutchen wrote:
I'm not claiming that the user knows. I only said that if there is in
fact no impersonation, then the error is a false positive.
This seems a fine definition to me.
If the browser says OMG - someone
2010/5/21 Robert Relyea rrel...@redhat.com:
On 05/21/2010 07:52 AM, Gervase Markham wrote:
On 21/05/10 05:36, Matt McCutchen wrote:
I'm not claiming that the user knows. I only said that if there is in
fact no impersonation, then the error is a false positive.
This seems a fine definition
10 matches
Mail list logo