Worth noting what the IE7 folks are up to:
http://blogs.msdn.com/ie/archive/2005/10/22/483795.aspx
A quick summary follows...
Changes in IE7 on both XP and Vista:
* turning off SSLv2 by default, enabling TLS by default
* continuing practice of showing error pages on cert-related errors,
with user allowed to click through, but now will show an error indicator
(red background in location bar) on subsequent pages
Vista-only changes:
* Support for AES
* revocation checking on by default, using OCSP if available
* support for TLS extensions, including Server Name Indication for TLS
support of web sites using virtual hosting (single IP address)
As I understand it, here's the state of NSS and Firefox vis-a-vis the
above items:
* SSLv2: Gerv Markham has been proselytizing for turning off SSLv2 in
Mozilla-based clients. I recommend that we just do this in Firefox 2.0
and Thunderbird 2.0, especially since if IE7 turns it off any remaining
SSLv2-only sites will be strongly motivated to upgrade.
* Cert-related errors. From the IE7 blog entry it's not clear if the
error page presented to a user "clicking through" a cert-related error
includes the option to permanently accept a server cert or CA root. I've
previously proposed removing the cert-error modal dialog in Firefox and
just showing the page with an error message in the informational bar.
Another option would be to keep the modal dialog but restrict the
options to "cancel the request" and "accept the cert temporarily for
this session only". I recommend doing one or the other; I think the
status quo is untenable.
* AES support. Already in NSS and hence in Firefox. (I thought this was
already in Windows XP and IE6?)
* Revocation checking on by default. Previously discussed in this group,
I can't remember what the current thinking is.
* TLS extensions and SNI in particular. Previously discussed in this
group. Certainly if IE7/Vista will have support on the client side then
it might make sense for server-side applications using NSS to have
support as well, which could then lead to client-side support in Firefox.
Frank
--
Frank Hecker
[EMAIL PROTECTED]
_______________________________________________
mozilla-crypto mailing list
mozilla-crypto@mozilla.org
http://mail.mozilla.org/listinfo/mozilla-crypto
