I think there is value in the concept but it has a major failing from a usability perspective that falls out of data center operational practices. How many webservers do you think a big bank has? Some folks use SSL accelerators in front of their web-server or app-server farm, some folks have multiple machines wiht independant identities as they take a different strategy for meeting availability targets (capacity, uptime, performance). The UI benefit of advising "you've never been here" would disappear by the time folks noticed that they could get the warning when it is "clearly" wrong (the tenth time they visit their bank site and it throws the "new site" warning half the time).
This works very well when you have some other way to authenticat the site and need only ensure that you are visiting the site again. Of course one way to authenticate a site is to use PKI as opposed to stand alone PK techniques. _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security