Eddy Nigg (StartCom Ltd.) wrote:
My question to your suggestion is, if we can't come up with something, that would tell the user _any_ difference between _any_ certificate. Which means, to display the user the most important information in a convenient way, which could be perhaps the subject line and issuer. Also it should contain additional information, such as perhaps the key size and encryption algorithm used for the connection, if the page contains unsecured content, if the CRL was checked and if the issuer is known (e.g. trusted). "EV validation" could be one of those details as well...
Eddy, if we are destined to forever disagree on this, so be it. But I can tell you for absolute certain that we are _not_ going to put Firefox users in a position of having to know and evaluate the relative trustworthiness of (or practices of) 50 different CAs, and the relative strengths of different encryption algorithms and key sizes, in order to work out whether a particular site is (relatively) safe to do business with.
"Throw all the information at the user and let them make up their own mind" is not going to be our UI strategy. So you may as well stop lobbying for it to be. :-|
Gerv _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
