On Mon, 21 Mar 2011 09:05:30 -0400 Joseph Lorenzo Hall <[email protected]> wrote:
> It strikes me that I'd want notice (or the option to get notice) > before submitting rare certs to the database... say a dialog like: > "We're about to submit the certificate for the following site, [x] ok, > [ ] no, do not submit this certificate. ([ ] remember this preference > for this certificate)." My reasoning is that I should usually have a > good idea when I'm expecting a rare/self-signed cert, and if I'm not > expecting it, I'd probably want to submit it. Does that make sense? > best, Joe No. 1. The extension cannot determine whether you have a ‘rare’ certificate without querying the database. 2. If users do not report self-signed certificates that they expect to see, the database cannot be used to detect man-in-the-middle attacks on sites that use self-signed certificates. Robert Ransom
signature.asc
Description: PGP signature
_______________________________________________ tor-talk mailing list [email protected] https://lists.torproject.org/cgi-bin/mailman/listinfo/tor-talk
