as I understand it a typical user would always get a warning dialog the first time they downloaded a signed code object (e.g., Java applet or XPI) from a new developer. In that event a typical user might be more likely to click the "View Certificate" button
FYI, Mozilla currently always shows the warning before installing an XPI, and it does (to my knowledge) show the real name of the signer right in the dialog. (DougT implemented that some time ago, IIRC.)
(And recall that the criteria in question here are really the criteria we would use for our own evaluation of CAs, in cases where independent evaluations either don't exist or we choose not to rely entirely on them, for whatever reason.)
I think we should enforce the same requirements on all CAs. If a CA has a WebTrust attest, but knowingly violates a rule we have for our evalution, it should not pass. One big exception: I don't think we can do without VeriSign=Thawte in any case :-( , if we are to keep the current security model.
_______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
