On 20/3/09 19:29, Anders Rundgren wrote:
This is a stupid comment.
Pardon me. I just don't agree with the majority of this list since
many governments and banks in the EU are working in another
direction. This may be due to ignorance
Folks, Anders is right about this "worldview" difference. But it's not
easy to see unless you've spent some time on the other side of the
fence. It is somewhat but not compeltely a cultural difference that
derives from different attitudes to finance, regulation and "trust"
whatever that is.
Having worked on both sides of the fence, I can see both perspectives,
but it is beyond me to explain it all. Unfortunately, the conclusions
often end up being completely different and contradictory, so it is
somewhat head-spinning to figure out how the different sides of the
atlantic figured out their opposing conclusions.
but I insists that there
is a problem having *two* competing session mechanisms in
web-apps; one [IMO] may have to go.
I wonder if the point might be that only one form of auth matters, and
once we decide which it is, the other(s) should allow itself to go passive?
The other problem is that the signature stuff that the Mozilla
community continuously downplays actually lives and this thingy
An example of this is qualified certificates. For those on the western
side of the Atlantic (which includes Britain :) ) these are *a big deal*
in Europe, and they more or less set the emotional standard for where
everything is going. E.g., ETSI standards are written assuming QCs are
the standard which makes them somewhat odd when considered from a
server-auth viewpoint.
also works contra TLS-c-c-a as since you obviously shouldn't
have different PKI UIs for signatures and authentication.
We are talking about investments in the range of $100M/Y.
Pass some our way and you've got our attention ;-)
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
