Michael Lefevre wrote:
On 2007-02-05, Gervase Markham <[EMAIL PROTECTED]> wrote:
[snip]
"Throw all the information at the user and let them make up their own
mind" is not going to be our UI strategy. So you may as well stop
lobbying for it to be. :-|
Seems to me that your own point extends to EV though. I can't see what
solution there is to having at least 3 levels - EV cert, non-EV cert, and
no cert (possibly broken into some cert but without known root, and no
cert at all).
It may not be ideal, but what's the alternative - stop supporting non-EV
certs (i.e. 99.99% of certs today)?
There are valid roles for domain-control certs - for example, if I get a
Welcome pack from my ISP saying "Get your secure webmail at
https://webmail.isp.net";, then they doesn't need anything more than a
domain control cert.
I don't see how a simple on/off indication is going to work, unless it is
"on" for any and all sites that a "normal" user wants to give their
personal details to,
"Personal details"? I give out personal details over plain HTTP all the
time. Is that really what you meant?
which would involve lots of people going out and
spending a lot of money on upgrading to EV (and I can't imagine that
happening immediately, and if it doesn't reach some kind of tipping point,
then the remainder probably won't see a reason to bother).
EV's success is certainly not guaranteed. But if 200 Paypal customers
have their account details stolen every day, and this becomes 150
because the other 50 IE 7 users go "no green bar - I won't enter my
password" then that's obviously worth it for Paypal.
It doesn't have to solve the problem completely to be worth doing, and
it doesn't have to be used by other sites to be valuable for your site.
Gerv
_______________________________________________
dev-security mailing list
[email protected]
https://lists.mozilla.org/listinfo/dev-security
