Boris Zbarsky wrote:
No. The URL is in the address bar. That's not the same thing:
http://[EMAIL PROTECTED]/login/foo?value=reallylongthingbecauseICan
vs
EVIL.COM
Not that that would necessarily help with www.citibank.com.evil.com,
mind you. ;)
OK, got you
--
Regards
Eddy Nigg (StartCom Ltd.) wrote:
I could get more into details here, but I spare you that ;-). But the
obvious is, that the very operators of the sites in question have the
solution to the problem much closer at hand than anybody else!
Really? Perhaps you could suggest it, if it's so easy.
Ben Bucksch wrote:
But you have to know exactly when the CA is going to call.
No, not necessarily. Caller ID. Reroute all calls coming from CA.
We're in fantasy land now. If I can get control of all phone calls
coming into and going out of a company, I wouldn't use a CA. I'd pick
some
Ben Bucksch wrote:
Gervase Markham wrote:
If the checks were not performed properly by the CA, the CA is liable.
No. If they follow the guidelines, they disclaim liability.
Then the checks have been performed properly. You can't have it both
ways. The CA can't both not perform the checks
Eddy Nigg (StartCom Ltd.) wrote:
However I never heard from you that you agree with me - even partially -
but outright dismissed my suggestions! It seems now, that for whatever
reasons (because IE has it (???)), that you seem to come to a similar
understanding...
I don't really agree with
Gervase Markham wrote:
Really? Perhaps you could suggest it, if it's so easy.
No problem! We'd be glad to provide a workable and effective solution,
should any web site operator contact us and request it. However I doubt
that we are that much smarter than the developers of their sites
Gervase Markham wrote:
I don't really agree with you, I'm afraid. :-) We should not display
this information for non-EV certificates
You continue with the mistake to withheld *INFORMATION*. This exactly
why users today have no clue about SSL enabled sites whatsoever! The
lack of accessible