On 4/21/05, Gervase Markham <[EMAIL PROTECTED]> wrote: > Frank Hecker wrote: > > Incidentally note that IIRC I did not suggest that an https connection > > with an unknown CA have the exact same UI as an http connection;
Ok, I wasn't intending to pigeonhole you, just succinctly express the gist of the proposal. I remember the idea was presented as fluid. > > I think > > an informational error message (not a modal dialog) is appropriate in > > this case, since the result is unexpected behavior (i.e., if the user > > entered an https URL then they were presumably expecting to see the lock). > > Good point; I hadn't thought of that. Perhaps we want an (i) icon in > place of the lock which, when clicked, explains. I think it's important that any UI not be pejorative, as the current UI is. If the UI is pejorative, it will encourage people to just use plain HTTP and forgo the encryption and key-exchange offered by SSL. Firefox should not convey the impression that an HTTPS connection with an unknown CA is more dangerous than an HTTP connection. If the concern is specific to when a user types in a URL, the UI indication should also be specific to this case. Following this strategy, a warning is only displayed if the URL was typed in by the user. For all other cases, the UI is the same as for an HTTP connection. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ mozilla-crypto mailing list [email protected] http://mail.mozilla.org/listinfo/mozilla-crypto
