On Mon, Mar 30, 2009 at 09:50:20 -0700,
Craig White <craigwhite(a)azapple.com> wrote:
I'm not sure that I agree with you at all but your being vague.
If I
assume that you are talking about the way Firefox handles untrusted
certificates with their alert and requires you to 'get the certificate'
and accept & store or merely temporarily accept, then I disagree...I
very much like the way they are handling untrusted certificates. By
contrast, the way most portable devices such as iPhones, Blackberries,
etc. handle untrusted certificates glosses over these details to the
point of scary.
Because you have to jump through hoops if all you want is protection from
passiv eavesdropping and not assurance that I am connected to the correct
web site. (And even the roots CAs don't provide that. They provide assurance
about the connection matching the domain name, which isn't really the
same thing.)
I'm not sure at all what you are accomplishing by removing the
normally
trusted root certificates.
If I return to a site I notice whether or not the certificate has changed.
The UI still sucks for this, since it wasn't designed to be used this way.
I have no special trust relationship with any of the organizations that
have their certs included in firefox, and they don't certify what I really
want to know, so they just get in the way.