Radical though it might be, something like this might actually work. However rather than using the phrase "site identity verified" (what does this actually mean to users?)
Just to clarify - my proposal wasn't supposed to suggest any UI at all, and particularly not that :-)
My current UI idea is perhaps to make the domain name bold, but I'm very open to ideas here.
Otherwise there'd be no distinction to the user between encrypted SSL connections using low-assurance certs and unencrypted connections to sites with domain names verified via DNSSec. I know some would argue that SSL connections using low-assurance certs are indistinguishable from non-SSL connections from a security point of view, but I don't think treating them exactly the same from a UI perspective serves the interests of anyone, least of all users.
Fair point.
If we are going to do this, we need to:
- Collaborate with other browser manufacturers. Having divergent UI on this would be a disaster, and banks wouldn't know how to educate their customers.
- Work out with them exactly what states we want to indicate, and the UI to choose. We should choose as few states and variables as we can possibly get away with, rather than looking at it from a "what would it be nice to differentiate?" point of view.
Gerv _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
