On 2/7/07, Dan Veditz <[EMAIL PROTECTED]> wrote:
Part of the Firefox 3 plan is to revamp the security indicators. The current UI is created (I won't say "designed") by software developers, the new UI will be designed by folks trained to design UI. Don't know what they'll come up with, but I'm looking forward to it.
As am I. And, just to put something to rest, let me say this: as the owner of ui-review on the /browser module, and speaking for myself and mconnor (module owner of /browser), I can assure you that Firefox will *not* support a UI where the presence of an EV certificate alone[1] generates a message of "This website is safe" or even "This website is trustworthy." That's the padlock mistake, and we're *not* going to make it again. I should also mention that this area has been seen as important enough to result in the hiring of Johnathan Nightingale (formal announcement to appear next week when he officially starts, but you can read his announcement on his blog: http://blog.johnath.com/index.php/2007/02/08/transition/ So yeah, we're taking this seriously, and will look at the UI with care and due attention.
Can we stop arguing about it now? Or at least wait until we have a design proposal to argue about?
There *is* something I'd like to go back to arguing, which is: do we feel like these guidelines for audit and acceptance are solid? are there changes we want to propose to the CA/B Forum? So far I've heard reasonable arguments for: - linking a form of government ID to the application (proposed, but dropped, but we can repropose it) - increasing the liability exposure for CAs found to be lax in their applications of the guidelines - formalising the set of third-party identity providers to verify business information - a whole slew of noise about whether or not this is a conspiracy by Kelvin Yiu and Phillip Hallam Baker to make a few extra bucks on the side I'm really only interested in points like the first three. If it's a market conspiracy, you can bet your bippy that the market will decide. cheers, mike [1]: In fact, I don't think that in the timeframe of Firefox 3 there will be any set of metadata which we'd use to declare "This website is safe", but I'm willing to be proven wrong so I don't want to overstate my position. -- / mike beltzner / phenomenologist / mozilla corporation / _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
