Frank, Thanks for your reply. Presently am just too tired to do your answer justice. perhaps tomorrow.
The generality to which I refer "push" is a basic philosophy that seems to pervade an awful lot if not all the net today. Specifically, by not making the installed certs both more evident to the user and by not making them fully removable by users, FF is "doing what is best" for ?the users? or for site publishers? Perhaps today our browsers just may be trying to do too much and do not allow the user to effectively block "unneeded" frills. A summary on that would be that most of us block all flash and view sites that rely on flash as both security risks (5 flash vulns in last 6 months) and unnecessary marketting hype. Yet sites often continue to both throw flash and to demand javascript where neither are necessary, cute but not necessary. regarding the cert problems: The answer to your which one question is "yes both". As far as specifci examples, I do not track that and have no desire to do so. As a somewhat tech user, I expect experts to do that and I would refer you to at least three entries in the SANS diary over the last 6 months on failures to revoke known fraud certs (both Twaite and Verisign I believe), failure to verify the cert applicant before issuing a cert, and as pointed out above one of the root certs has apparently expired. So are you saying that FF has fully proofed the root certs? If not, then the following of a proceedure did not seem to have eliminated questionablly operated root certs. But you are right with the changes you are proposing (bug reports), the situation should be improved a bit. Certs are a problem. And like the banking redirects to "checks.x" improper implementations can lead to a whole other set of problems. I would suggest on "features" like certs and other more controversial items (like that FF ping home thing from months ago) that it would serve FF better to make the user more an active part on the installation of such. sleepy & tired Oops199 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
