Colin Guthrie wrote:
'Twas brillig, and Per Jessen at 16/02/09 13:49 did gyre and gimble:
Colin Guthrie wrote:
Colin, I think you're mixing apples and oranges here - http(s) was never
meant to provide any indication of "trust". Besides, how do you suggest
we distinguish between CAs "with no trust" and CAs "with trust"?
Well you're probably right.
I appreciate that https doesn't provide "trust" by default, but
ultimately that's how Joe Bloggs public has been told to deal with it
"look for the padlock" etc. etc. to be sure that your session is secure
blah blah. Now with the HV certs the UI also has the company name in the
URL and this *is* going towards a trust infrastructure.
If you are e-commerce then trust is an issue and you should pay for one
of the certs that turns your url bar a pretty color.
If you just want a public/private key encryption, you don't need the
pretty color and shouldn't be forced to use a CA.
Trust the pretty color as authenticated.
Perhaps where we should go is that even if the URL is https:// there is
no UI change in the browser. Only if the cert is trusted by a CA should
the browser UI change to indicate this in some way, with HV certs being
explicitly indicated as such to increase the "trust" aspect.
One idea I saw is to only show the lock when a trusted CA is used.
I'm fine with that.
--
PHP General Mailing List (http://www.php.net/)
To unsubscribe, visit: http://www.php.net/unsub.php
