When I hit reply the mozilla groups bounces my email, so replying off list. [email protected] wrote:
> I'm not claiming that the user knows. I only said that if there is in > fact no impersonation, then the error is a false positive. If you're going to redefine what a false positive is than this thread is a HUGE waste of time for all concerned. Here's the reality of it: Self signed certificate, one of two things will happen: 1) The browser (not the user, but we're talking about the browser here) does not recognize the signing authority used for this certificate. The browser reports this as an untrusted certificate. This is correct. How is the browser to know this is a "legitmate" self signed certificate without being told? Which leads us to the second possibility: 2) The user has already told the browser to trust this self signed certificate, or the bworser came with it installed, or someone rolled out the certificate in the users home directory, etc. In this case the browser would recognize and trust the certificate and not hassle the user. 1 is correct behavior and is always a false positive. The browser can't know if there is impersonation or not, it cannot determine intent (for that matter most users can't either). All the browser can say is: a) This certificate is signed by someone I trust or I have been otherwise told to trust this certificate b) I do not recognize this certificate, it is time for you the user to become involved. For you to claim that the browser should be able to determine the intent of a self signed and unknown certificate (i.e. is it legitimate, or a man in the middle) without any external help represents a failing is to show a pretty fundamental lack of understanding as to how this all works. -Kurt -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
