On Sat, Jul 14, 2012 at 2:18 PM, Antonio Manuel Amaya Calvo <[email protected]> wrote: > So users believe https => I can trust this site *content* to be trusted. > While reality believes https => this site is 'vaguely' identified. Very > vaguely on most cases too.
The point I was trying to make is that on the Web you can only trust the content by trusting that the organization identified to be at the other end of the pipe is trustworthy to send you a proper content. There's no third party certifying anything about the content on the Web, so it's natural that trying to add that leads to un-Webby solutions. As for vagueness of identification of the other party, I deliberately mentioned certificate pinning. If the act of "installing" an app pins it certificate to value established by the application store, then the identification is exactly as non-vague as a developer identification in the application store in general. That is, identification by the application store could replace the problems of the CA system. (If you don't trust the store to get the identification right, why would you trust the store to perform fancier functions?) -- Henri Sivonen [email protected] http://hsivonen.iki.fi/ _______________________________________________ dev-webapps mailing list [email protected] https://lists.mozilla.org/listinfo/dev-webapps
