On 2-Jan-09, at 2:00 AM, Ian G wrote:
On 2/1/09 03:44, Kyle Hamilton wrote:
If he's a security and user interface expert, why is the security UI
so appallingly *bad*?
Not answering for gerv, but I would say: he is the human shield,
against all influences, inside and outside!
He's only one guy, and he has the entire battle field to deal with.
Every time he moves to the left, the right mobs him. Every time he
moves to the right, the left undermines him.
The result is bad, but it isn't his fault, it's the fault of the
situation he is in. However, at least we have a result! Before he
was there, the only thing we had was random experimentation (like
Gerv's much missed yellow bar) and corporate denial of the issue.
Hey Ian,
I appreciate the understanding of the situation, but I'm not quite
ready to call the job impossible just yet, despite the array of forces
being very much as you describe them.
I doubt it will surprise you to know that Kyle isn't the first person
to throw such stones. What is comparatively rarer is helpful,
balanced suggestions for moving forward. In the meantime though, it's
worth remembering that Firefox 3.1, when it comes out, will have
private browsing mode, better clear private data support, SSL errors
that interrupt user workflow explicitly instead of being ignored away,
anti-malware and anti-phishing protection, fewer "You are submitting a
search to Google" useless dialog boxes, an identity indicator that
actually calls out the names of CAs issuing certs, and a much better
mixed mode detection story than we had a little while ago, among others.
We are always short-staffed on this stuff though, so it's great to see
people like Kyle eager to help.
So Jon goes to CAB Forum with a mandate to speak for the end-users,
without any input from Mozilla, the browser vendor?
Obviously I'm there representing a browser, but Mozilla's interests
tend to align with end users most of the time. We don't, for
instance, have a profit motive creating potential conflicts of
interest. To give you a somewhat recent example, we were strong
proponents of mandatory OCSP support by 2010 because we think it's
better for the health of the net to have high-availability revocation
information available for high-assurance certs, despite the arguments
from some quarters that it would be too costly to support on high-
traffic sites.
Johnathan
---
Johnathan Nightingale
Human Shield
john...@mozilla.com
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
