On 2007-02-05, Gervase Markham <[EMAIL PROTECTED]> wrote: [snip] > "Throw all the information at the user and let them make up their own > mind" is not going to be our UI strategy. So you may as well stop > lobbying for it to be. :-|
Seems to me that your own point extends to EV though. I can't see what solution there is to having at least 3 levels - EV cert, non-EV cert, and no cert (possibly broken into some cert but without known root, and no cert at all). Is the plan to say that anything without EV is unsafe for, say, credit card details? Or will people know that EV is safe, and other secure sites may or may not be safe, but definitely aren't as safe as EV. Say, for example, that paypal and ebay get EV, but amazon doesn't - is the user then supposed to know that it's ok to put credit card details into amazon without the indication, but they shouldn't trust something claiming to be ebay without it? I don't see how a simple on/off indication is going to work, unless it is "on" for any and all sites that a "normal" user wants to give their personal details to, which would involve lots of people going out and spending a lot of money on upgrading to EV (and I can't imagine that happening immediately, and if it doesn't reach some kind of tipping point, then the remainder probably won't see a reason to bother). -- Michael _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security