On 12/31/12 7:26 AM, Kai Engert wrote:
I envision a UI where users are required to approve once, whether the combination of a CA and a domain is acceptable to the user.
I think this is a non-starter. It feels a lot like bouncing the hard work to the user, and then blaming them if they choose poorly. A core prerequisite for getting users to make a meaningful (let alone sound) decision is presenting them with the relevant info in a concise and understandable format -- but I can't even begin to imagine how one would would do that for a CA.
It's also bad for the web to be constructing new barriers to cross-border communication. A site in country X is going to lose significant traffic if foreign visitors are presented with a scary security dialog on their first visit. It would also seem to punish 3rd world countries, where there might not even be a local CA (or a reputable local CA).
This would also be terribly annoying UI. Users would get these popups frequently, and treat them as Whatever Buttons. I'd reject it on that basis alone.
Justin _______________________________________________ dev-security mailing list [email protected] https://lists.mozilla.org/listinfo/dev-security
