On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > Tyler Close wrote: > > On 6/18/05, Heikki Toivonen <[EMAIL PROTECTED]> wrote: > >>Current SSL system generally requires no input from user (exceptions are > >>when some problem with the certificate the server presents). > > > > The above statement is incorrect and is a primary factor underlying > > the current phishing problem. The current SSL UI requires substantial > > user input on every site visit. To be safe, the user must verify that > > Maybe you weren't paying attention, or maybe the word input is not as > precise as I thought it is. I said *input* - meaning the user must > enter some data to the system.
Ah, I see. So if we demand users memorize and verify identification credentials, instead of providing the user with a way of writing down a reminder note, we have reduced the user's "input" to the system. According to you, this is a desireable outcome, and all dissenting solutions should be disqualified. I find your classification of typing as "input", but detailed cross-checking before proceeding as not "input" arbitrary and grossly misleading. Do you have a user study, argument, or anything at all to back up your belief that users find memorization and detailed cross-checking easier than typing? > The SSL system is not always easy to use, like you noted, No, the current SSL UI is *never* easy to use. I challenge you to provide even a single counter-example. Tyler -- The web-calculus is the union of REST and capability-based security: http://www.waterken.com/dev/Web/ _______________________________________________ Mozilla-security mailing list Mozilla-security@mozilla.org http://mail.mozilla.org/listinfo/mozilla-security