There are two sets of questions before us regarding this new extension and the "qualified statements" it contains. they are:
a) what should NSS do about them? b) what should each application do about them? (this is obviously a set of questions, one per application.)
In the cited bug, I have proposed to implement this extension in NSS in a way that makes the support for this extension conditional on the application that uses NSS. As proposed, if the application that uses NSS says to NSS, "Trust me, I handle this, you treat it as recognized and supported", then NSS would do so. The question then is, what will the application(s) do with the info in this extension, if anything?
Now, recall that MoFo has no "security director" who decides how crypto security policy affects UI. And worse, it has no developer who is actively working on the crypto UI (PSM is an orphan). So, I am raising the question that might otherwise be decided by that director or PSM owner, if one existed.
I am hoping that the FireFox and ThunderBird UI czars will read this thread in this group, and engage in discussion of this issue.
Ian, you've championed the idea of making crypto security less "binary" in the UI, so I'd expect you to also like this idea, making a stated limit of liability clear to the user whose money (and "security") is on the line.
Please don't scare those UI czars away from this issue, or convince them (by use of a dismissive attitude) that this isn't worth their consideration.
Thank you.
-- Nelson B _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security
