On Thu, Jul 5, 2012 at 1:19 PM, John Nagle <na...@sitetruth.com> wrote: > On 7/4/2012 7:07 PM, Daniel Veditz wrote: > >> If we implement cert pinning we'll either have to allow that kind of >> business to disable it, or write off our users who work for >> companies with that kind of control freakery. It's more common than >> you'd think, some of our own Mozilla community members work for >> companies with that kind of policy. > > Any bypass mechanism should result in a user-visible display. > Perhaps a notification like "Your access to this page is being > observed by ...."
A balloon tip to pop up on any certificate validation which occurs due to a non-Mozilla-supplied root should work. What makes this perhaps workable is that larger tech firms already do use EV even for their intranets. What makes it not doable is that there is no asynchronous way to obtain certificate chain validation information in NSS as it exists. -Kyle H _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
