> > I'm trying to argue that current non-EV certification process is no good > > and self-signed certificates can be used to provide equal security in > > practice. Then we can discuss if browsers should display some kind of > > "secure" indicators for HTTPS connections with non-EV certs/self-signed > > certificates. I believe that the answer should be "no" and this is the > > "neutral HTTPS" which has been discussed in this thread. > > > > Self-signed certs would be even more secure than any other if the right > mechanism (real question we hoped dnssec would answer, perhaps dnscurve > and dnssec combined would be good enough if the DDOS question can be > sorted too) to acquire the fingerprint from the source server or serve > it to mozilla based on the submitters ability to edit the servers ssl > pages under that key was confirmed perhaps automatically.
I just wanted to add and be clear on my point that this 'real question' is the one that the pro EV camp has failed to secure and a false sense of security is worse than no security even if it does narrow the window a little it may also take the focus away from the only thing that truly counts (domain validation). So answering this question is paramount to all certificates and standardising the authentication process which counts is a must as the current email confirmation checks rely on the insecure dns system and don't even use DKIM anyhow and my above example is almost certainly more secure than the CA's checks and the realisation of this would allow minimising the risk even in a world of insecure dns as much as possible. -- _______________________________________________________________________ 'Write programs that do one thing and do it well. Write programs to work together. Write programs to handle text streams, because that is a universal interface' (Doug McIlroy) _______________________________________________________________________ _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
