Justin Dolske wrote: > > That doesn't seem all too different from a vanilla-SSL site having an > XSS hole. Mhhh...if the site contains unencrypted content, then the browser notices it. If the parts are served by a different site (and certificate) there is no notice. However the issue here is about EV or non-EV (if there will be any distinction), which would make a difference. The same might be true if we'd make a distinctions between other different levels of verification methods. > I'm not sure how that could be explained to a user in a > meaningful way, either. I'd also be wary about building the impression > that content served under an EV cert is somehow more trustworthy, Hehe...we try to avoid the "trustworthy" word in connection with EV (and certs) ;-) > > Also, a more practical concern would be that if existing an existing SSL > site is already linking to SSL content under a different certificate, > then upgrading to an EV cert would break that. That might just be > education issue for purchasers of EV certs, though. From the site operator perspective I don't see any reason why a site shouldn't be served by the same certificate (or same level). If certificates are going to be mixed, then I think it should be downgraded to regular SSL, very similar to having the "broken lock" in the address bar. Like this site owners take care of correct installations.
Similar, if you have a valid certificate and mix content from a site with a self signed certificate, the browser complains. Guess something like that should happen here as well (i.e. downgrade). -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
