On Sat, Oct 10, 2009 at 1:19 PM, Florian Weimer <f...@deneb.enyo.de> wrote: > Does this address the lack of enforcement of the EV certificate > security level (i.e. it is usually sufficient to get any > browser-recognized certificate if I want to attack an EV site, > *without* disabling the EV UI)?
Strict-Transport-Security does not address that threat model. Mozilla has proposed an extension to STS, called lockCA, that does address that threat model. Adam _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security