[HTTPS-Everywhere] what does HTTPS-Everywhere consider a "valid" X.509 certificate? [was: Re: Custom rules]
Daniel Kahn Gillmor
dkg at fifthhorseman.net
Fri Oct 15 09:36:08 PDT 2010
On 10/15/2010 12:03 PM, https-everywhere at lists.grepular.com wrote:
> Perhaps there could be a couple of user configuration options?
>
> Trusted certificates only? (default yes?)
I think this misses the point that i was trying to raise:
Whether or not a given certificate is valid (i'd rather not use the
overloaded/confused/confusing term "trusted" for end-entity certs) for a
specific web site is not something that the HTTPS-Everywhere authors can
reliably determine ahead of time.
Reasonable people can disagree about the validity of a certificate (e.g.
i might not be willing to rely on certifications made by FooCorp, but
you might).
Does the HTTPS-Everywhere team want to put themselves in the position of
acting as a sort of meta-CA (deciding which CAs are "legit" or
"trustworthy")? If not, how can we avoid that position?
--dkg
-------------- next part --------------
A non-text attachment was scrubbed...
Name: signature.asc
Type: application/pgp-signature
Size: 900 bytes
Desc: OpenPGP digital signature
URL: <http://lists.eff.org/pipermail/https-everywhere/attachments/20101015/0eea7297/attachment.sig>
More information about the HTTPS-everywhere
mailing list