Derik asks the pertinant question:
> The question is:  how do we convince M$ and Netscape to include something
> else in their software?  If it's not supported in IE, then it wont be
> available to the vast majority of users out there.

My view, again, IMHO:  ignore Microsoft.  Concentrate
on the open source solutions:  KDE, Mozilla, Apache.

These groups will always lead in security, because
they are not twisted by institutional conflicts;
they can examine historical security model from the
point of view of interested professionals, rather
than commercial actors trying to preserve this or
that revenue stream.

The trick is to understand whether HTTPS as it
currently is can be improved.  If it can, then
those above guys can do it.

Once the improvements are shown to work, Microsoft
will follow along.  They are a follower company,
not an innovator, and they need to see it work in
practice before doing anything.  As Derik suggests,
the vast majority of users will have to wait.

Along those lines, there's one piece of excellent

Eric Rescorla wrote:
> One can simply cache the certificate, exactly as
> one does with SSH. In fact, Mozilla at least does exactly
> this if you tell it to.

That's fantastic!  I never knew that.  How does one
set that option on Mozilla?  (I'm using 5.0 / 1.3.1.)


Reply via email to