HggdH [2008-05-07 19:34 -0500]: > On Thu, 2008-05-08 at 00:45 +0200, Martin Pitt wrote: > > > This doesn't have anything to do with power users/n00bs. An invalid > > SSL certificate isn't any better or worse depending on the type of > > user. If a site sets up SSL with an invalid certificate, then this > > buys the user nothing but a false sense of security. > > Sorry. What *is* an invalid certificate? A certificate that does not > carry the fully-qualified host name in its Common Name?
It doesn't need to have the FQDN as far as I know. The domain name is sufficient, so that it matches for all hosts in that domain. I don't particularly mind if I am talking to banking.mybank.com or svr23.mybank.com. The domain name should really match, otherwise the certificate does not fit for the host name. However, I personally consider non-matching host names a much lesser evil than non-verifiable certificates. > An invalid certificate is a certificate that is outside its timeframe > (not valid before/after), or that does not verify against the root (all > the way through the chain), or that is used outside its specified > capabilities (but *this* one is oh so very tricky...), for example. Right, but also self-signed certificates (since they prove nothing). > But not matching the FQHN does *NOT* make a certificate invalid. At all. > Even more because there is no standard requiring it. Well, there is the > common use, but it is common use also for most users to accept any > certificate received on the wire. Common use does not cut it. Agreed, although it is very confusing. For large companies which do have several host names and have a lot of customers which interact with it (banks, major email providers, etc.) it shouldn't be a problem to get a properly signed certificate, and for small companies and private persons cacert is appropriate (much less strong authentication, but compared to today's practice it's much better.) > 100% with you. But it all has to start with education, not just forcing > a new feature down the user's throat. For most casual users, this > education is -- from my own experience with casual and theoretically > technical users -- not easy. And I do understand X509 & friends. I don't consider it a new feature, but a better UI. Firefox has always complained about invalid certificates, but until version 2 it was just the well-known 'SSL yadayada cannot be verified mumblemumble click here to shut me up' popup dialog, and really everyone just clicked this away, right? Security click-through dialogs should be abolished, since they achieve nothing and are really just an excuse for the software provider: "I know it is unsafe, and cannot give you something better. Of course you can't know either, but at least I can make it your problem now." Now you get at least a proper error message page. I don't doubt that the text can be improved, and make more concise/clear, etc., but the UI is much better IMHO. Martin -- Martin Pitt | http://www.piware.de Ubuntu Developer (www.ubuntu.com) | Debian Developer (www.debian.org)
signature.asc
Description: Digital signature
-- Ubuntu-devel-discuss mailing list Ubuntu-devel-discuss@lists.ubuntu.com Modify settings or unsubscribe at: https://lists.ubuntu.com/mailman/listinfo/ubuntu-devel-discuss
