Nelson B Bolyard: > > Only if the server cert is from a CA that follows a reasonable CP/CPS. >
Obviously... > The case of concern is the server with a self-signed cert, or cert from > an unknown CA, that has an AIA extension that points to a tracking host > of some sort. The chain won't validate (the first time, without a "security > exception"), but the fact that the user attempted to visit it > has been recorded by the tracking host, whether the handshake to the > original server succeeds or fails (when AIA cert fetching is used). > And if the user creates a "security exception" for it, then each > subsequent visit may also cause tracking. Supposed it's a self-signed certificate, than the visit is already registered by other means. If it's an unknown CA it's really a grey area, agreed. > I believe that, within the Mozilla developer community, there is a widely > held misconception that NSS=PSM and the NSS team is the PSM team. But > that's really not correct. Most of the NSS developers are paid to work > on NSS but not on PSM. PSM could use more love, I think. Beside Kai, who else else does PSM? > That feature is not yet present in NSS 3.12. It's a feature enhancement, > and right now all resources are working on bugs, which generally take > priority over enhancements. :-( Understandable. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
