© 2004
Canonical Ltd.
•
Terms of use
•
Data privacy
•
Contact Launchpad Support
•
Blog
•
Careers
•
System status
•
7020100
(Get the code!)
(In reply to comment #31)
> "issued by the site itself" sounds entirely legitimate. What's wrong with
> using a certificate for paypal.com that paypal.com itself issued?
> The point is that *we do NOT know* know issued it. Maybe it was the
> site named in the cert, or maybe it is an attacker.
Good point. I still think that a terse scary wording is better than a lot of explanation. Is there any value in telling the user the difference between self signed and unknown issuer?
Imagine we use different wordings, and one of our wordings will sound a little less scary than the other, then attackers will use the kind of cert that sounds less scary :-)
> Expired Cert: Add: "This certificate may have been revoked, and we have no
> way to tell, since it is expired." or "FireFox cannot determine if
> expired certificates have been revoked or not."
What does it mean to an end user to read "certificate might be revoked or might not be revoked"? Probably confusion.
I personally think it's ok to omit the technical details and say something like Johnathan's UI currently shows or Bob's proposal.
To add my version to the mix of ideas :-)
"This site presented an expired identity certificate. The ownership of the certificate can no longer be verified. It might be in possession of someone who is trying to attack your connection and commit a crime."