If that's his point, then I completely disagree with it. Just because every other part of Mozilla does security reviews wrong (or not at all) doesn't mean we also should do the same for the NSS and other security components of Mozilla.
The point is, if you set this bar too high does it impact on security in a detremental way in other areas cause people to have sites collecting money without any encryption at all. There are some mediums gaining a lot of market share such as cable internet and wireless that are somewhat inheriently insecure because the nature of them is insecure. Alternatively people after credit details usually don't want one or two they want 1000's of them, and while we're all focusing on CAs and SSL enabled websites these things are poorly secured in other areas, cost in a lot of countries is a significant factor, and because of this online shops may forgo the expense. As stated before only approx 0.3% of webservers have SSL valid or other wise, I'm sure there are a lot of sites out there collecting personal information at the same time.
Security should be a whole approach not focus specifically on one part of it that in the current form will leave people with a false sense of security.
-- Best regards, Duane
http://www.cacert.org - Free Security Certificates http://www.nodedb.com - Think globally, network locally http://www.sydneywireless.com - Telecommunications Freedom http://happysnapper.com.au - Sell your photos over the net! _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
