Nelson Bolyard wrote: > > When you trust a cert as a peer, you trust it for all the names that > appear in that cert, just as if it had been issued by a CA you trust. > If it has 50 subject alt names, or a wildcard name, you trust that cert > for all those names. > > It turned out that browser users never understood that. They always > assumed that when they chose to trust an unverifiable SSL server cert > as a peer, they were only trusting it for the one site (host name) > that they were attempting to visit when they encountered the unverifiable > cert.
IIRC Firefox (and Seamonkey) never showed the 50 subject alt names when asking for the peer trust. If the UI wouldn't be so terse the user would have understood this. Regarding PKI/LDAP features there are still things lacking in recent Mozilla apps which worked pretty well in Netscape Comm. 4.5x. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
