Mark Martin wrote: > I don't think the only issue is the lack of a handy, well known cert > repository; the fact that the underlying implementation doesn't > validate properly would probably surprise folks.
That really depends on what you mean by "validate properly", sure there are standards that define how this is done but one persons proper validation is also over the top for other cases and highly in sufficient for others. > The choices that I saw were: > a) Deliver with HTTPS disabled by default. Principle of least > astonishment. By disabled by default is it available to consumers of WebKit easily or do they have to rebuild it ? > b) Deliver with (incomplete and ostensibly unsafe) HTTPS enabled by > default. > > If you're insisting on B, how do you advise managing the gap? Log a > bug? Document a warning? Assume developers will be diligent or just know? To be able to answer that I need to understand if this gap exists on other platforms delivering WebKit or is it somehow unique to OpenSolaris ? -- Darren J Moffat
