Justin Dolske wrote: > That doesn't seem all too different from a vanilla-SSL site having an > XSS hole.
Indeed not. We have an opportunity here to make successful XSS harder. > I'm not sure how that could be explained to a user in a > meaningful way, either. I'd also be wary about building the impression > that content served under an EV cert is somehow more trustworthy, when > it seems we're taking pains to avoid that rathole and focus on it being > a site identity thing. Right. But allowing this makes it possible for the identity presented to not be the identity of the owner of the content. That might actually lead to the idea that we should require that all the content comes from the same company (O field). But that would be fairly extreme. > Also, a more practical concern would be that if existing an existing SSL > site is already linking to SSL content under a different certificate, > then upgrading to an EV cert would break that. That might just be > education issue for purchasers of EV certs, though. Could be. Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
