Hi Anne,
Just to clarify, are you saying that effective in FF release ?? that a
document obtained via https will allow only https for all subsequent
retrievals, images and js, etc. alike?
To the larger discussion, I have 2 questions: 1) what is the specific message
you'd like to convey to
On Mon, Sep 22, 2014 at 1:47 PM, fhw...@gmail.com wrote:
To the larger discussion, I have 2 questions: 1) what is the specific message
you'd like to convey to the user beyond what the simple lock icon provides.
2) What action do you intend the user to take based on seeing the new
On 17/09/14 08:34, Kurt Roeckx wrote:
A browser could perfectly reject a certificate that doesn't comply with
the BR because the required OCSP URI is missing.
It could. If such browsers existed, I agree it would have a negative
effect on the likelihood of success of a short-lived certs plan.
I wouldn't be worried about a browser rejecting a cert that doesn't
comply. Instead, I'd be worried about a qualified audit showing
non-compliance. Although Mozilla might not care about that particular
non-compliance, other browsers and partners might.
Jeremy
On 9/22/2014 8:36 AM, Gervase
On Sat, Sep 20, 2014 at 1:10 AM, Anne van Kesteren ann...@annevk.nl wrote:
My point is that UI indicators should reflect the reality of actual
technical security boundaries. Unless we actually create a boundary,
we shouldn't show that we have.
So why do you show special UI for EV?
For
On Mon, Sep 22, 2014 at 5:56 AM, Henri Sivonen hsivo...@hsivonen.fi wrote:
-- HTTP Strict Transport Security
Yes, but I think this requirement shouldn't apply to subresources for
the page to qualify, since top-level HSTS together with the No mixed
content requirement mean that there's no
On 9/20/14, 2:35 PM, Eric Mill wrote:
Spitting out dev console warnings is certainly a step forward. I'm not sure
how the new dev console and Firebug interact, but I assume these added
warnings would also show up in Firebug.
I've noted to make sure the warnings show up in Firebug too.
On Mon, September 22, 2014 11:23 am, Chris Palmer wrote:
On Sat, Sep 20, 2014 at 1:10 AM, Anne van Kesteren ann...@annevk.nl
wrote:
** Could the TACK key be the origin key?
Is TACK still going anywhere? The mailing list suggests it's dead.
But one could imagine it being resuscitated,
8 matches
Mail list logo