Since the discussion on this case has gotten controversial again, I have changed the status in the IAM file to "waiting fast-track" and increased the timeout to 08/12.
Alfred, can you respond to Darren and Mark's issues? Thanks, Brian Darren J Moffat wrote: > Mark Martin wrote: >> I don't think the only issue is the lack of a handy, well known cert >> repository; the fact that the underlying implementation doesn't >> validate properly would probably surprise folks. > > That really depends on what you mean by "validate properly", sure there > are standards that define how this is done but one persons proper > validation is also over the top for other cases and highly in sufficient > for others. > >> The choices that I saw were: >> a) Deliver with HTTPS disabled by default. Principle of least >> astonishment. > > By disabled by default is it available to consumers of WebKit easily or > do they have to rebuild it ? > >> b) Deliver with (incomplete and ostensibly unsafe) HTTPS enabled by >> default. >> >> If you're insisting on B, how do you advise managing the gap? Log a >> bug? Document a warning? Assume developers will be diligent or just >> know? > > To be able to answer that I need to understand if this gap exists on > other platforms delivering WebKit or is it somehow unique to OpenSolaris ? >
