[Note: I joined the list very late in the game, and didn't see the original message. This is my reaction to seeing it now, and my thoughts on the concepts involved -- please feel free to bring me in-line with the actual objectives.]
For some more background, what Tyler is referring to is a middle-of-the-night strawman proposal I made for changing the Firefox SSL UI; see
http://groups-beta.google.com/group/netscape.public.mozilla.security/browse_frm/thread/50380eb8fd51b81f
for a copy of my original post and discussion about it.
Note a couple of points about my strawman:
* Where I mention "low assurance" vs. "high assurance" certs I would now substitute "domain-validated" vs. "identity-validated" as more neutral terms. One problem I have with the debate over domain validated certs is that blithely using terms like "low assurance" and "high assurance" is akin to proof by assertion; whether using traditional "identity-validated" certs is more secure in practice (which is what the use of "high" vs. "low" implies) than using domain-validated certs is IMO not something that can simply be assumed a priori.
* As I think I mentioned my original post, I don't have any direct influence over the actual Firefox SSL UI. My proposal was meant to spark discussion, not as an official implementation plan.
Frank
-- Frank Hecker [EMAIL PROTECTED] _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
