Eddy Nigg (StartCom Ltd.) wrote:
But the core question remains: Why should Mozilla take responsibility of a business which does not even belong to Mozilla?!!!
Because part of our business is to take people where they want to go, but also keep them away from where they should not be - even if they accidentally asked to go there. We take responsibility for helping our users be safe, so far as we can, because that's a browser's role in 2007.
It's _their_ business, _their_ profits and _their_ responsibility! Let them find _their_ own solution for _their_ own problem!
They can't produce a solution without underlying security primitives in the browser.
This is similar to the problem of trying to provide secure divisions between users in a software product if the OS has no underlying concept of different users (e.g. Windows 95). It just can't be done if the base isn't there.
Still, I'm not sure what you are arguing. Should we rip out SSL support altogether? After all, that would leave the field free for them to find their own solution to their own problem...
Secondly, it seems to me, that the interested CAs in the CA/Browser forum simply found reasons and an easy way in order to justify the selling of over-priced digital certification by whining about pishing attacks on eBay and Paypal.
If they are over-priced, then that's a business opportunity for you. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
