Boris Zbarsky wrote:
So an alternate proposal is the user gets to the checkout, and gets a
nice message from the browser saying,
"The organization which says this site is safe to shop at is known
to lie. Sending this site money could be very dangerous."
But if we knew that, why didn't we just yank the cert anyway?
The advocates for a "CA reputation" system are suggesting that it would
work in absence of sufficient evidence for a browser to yank a cert.
Either that, or they believe that the browsers should just include the
certs of anyone who asks no matter what their behaviour, and let the
users sort it out - i.e. that we shouldn't be making judgements about CA
quality.
Gerv
_______________________________________________
dev-security mailing list
dev-security@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-security
