On Wed, Aug 14, 2019 at 10:16 AM Jakob Bohm wrote: > On 14/08/2019 18:18, Peter Bowen wrote: > > On thing I've found really useful in working on user experience is to > > discuss things using problem & solution statements that show the before > and > > after. For example, "It used to take 10 minutes for the fire sprinklers > to > > activate after sensing excessive heat in our building. With the new > > sprinkler heads we installed they will activate within 15 seconds of > > detecting heat above 200ÂșC, which will enable fire suppression long > before > > it spreads." > > > > It used to be easy for fraudsters to get an OV certificate with untrue > company information from smaller CAs. By only displaying company > information for more strictly checked EV certificates, it now becomes > much more difficult for fraudsters to pretend to be someone else, making > fewer users fall for such scams. > > Displaying an overly truncated form of the company information, combined > with genuine high-trust companies (banks, credit card companies) often > using obscure subsidiary names instead of their user trusted company > names for their EV certs has greatly reduced this benefit. > > > If we assume for a minute that Firefox had no certificate information > > anywhere in the UI (no subject info, no issuer info, no way to view > chains, > > etc), what user experience problem would you be solving by adding > > information about certificates to the UI? > > This hasn't been the case since before Mozilla was founded. > > But lets assume we started from there, the benefit would be to tell > users when they were dealing with the company they know from the > physical world versus someone almost quite unlike them. > > Making this visible with as few (maybe 0) extra user actions increases > the likelihood that users will spot the problem when there is one. >
What is the problem being solved? You specify the benefit but I'm still not clear why this info is needed in the first place. Thanks, Peter _______________________________________________ dev-security-policy mailing list dev-security-policy@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security-policy