Having worked at a large CA for along time (trying to push for client-side 
certs with little luck), here are some thoughts on what Chrome could provide:

(a) Association with net identities: Provide some way for the user to associate 
his/her X.509 cert with an "internet identity" string (eg. OpenID, email 
address, etc etc) in the browser. (Yes, we could add such an identity in the 
SubjAltName, but that's outside the control of the end-user). This would allow 
the user to choose which cert to deliver to the server when the user is 
engaging the server using one of his/her identities. 

(PS. being able to associate with a small image/icon/photo of the user would 
also be nice).

The UI should be a simple as click cert and click identity, and then click 

(b) Export of certs: Provide an easy way to export client-certs to other apps.  
Currently some CAs use the browser as the primary means for cert enrollment. 
Currently in IE this is somewhat a lengthy process and the response (ie. export 
of cert successful or not) is also not very clear to the end-user.

The UI should not even talk about "export". It should say something along the 
lines of "Do you want to make your certificate available to the following Apps".

(c) Lock showing which cert/identity used: It would be useful if in addition to 
the Lock symbol (ie. SSL session established) there is a string (next to the 
Lock symbol) showing which client-side cert the browser is using for that SSL 
session. This is related to item (a) above, where a human-readable net identity 
is associate with the cert.

This helps the user in distinguishing which identity he/she is using when 
connecting to a Bank versus a Blog versus a corporate web-mail (all of which 
could be using distinct cert/identity). If there is a mismatch, the user can 
see this visually.

(d) Notification of expired certs:  It would be good if the browser could 
somehow notify the user if there are some expired certs (belonging to the user) 
in the browser. I'm finding that some browsers deliver the first cert in the 
list even when it has expired (thus causing the server to reject).

(e) Better notification/alerts of errors regarding server-certs:  This is a 
hard one as the average user (eg. my Mom) does not understand about certs to 
begin with. Since one of the main aims of SSL server-certs today is to prevent 
phishing, perhaps those messages should be "phishing-oriented".

This one need further thought, but perhaps a third button/option could be 
provided (in addition to the Cancel and Continue buttons). This third button 
could provide the user with some alternate sites with similar sounding domain 
names but with proven/valid server-certs.

(f) Better graphical representation of cert hierarchy: Perhaps not crucial, but 
a nice graphical representation of the cert hierarchy/tree might help educate 
the average user (my Mom/Dad) about what a CA is and where the user is located 
in the hierarchy. This would even help the average employee when his/her 
company is using a subordinate CA off a public CA.

When the user clicks on a node in the tree, it should show the organization 
name and other human friendly details.

(g) Easy check button for server-certs: It would be great if I could 
right-click the Lock symbol on the browser and be able to choose an action 
along the lines of "Validate Server Certificate". The browser would then hit 
the corresponding OCSP Responder (as denoted in the server-cert) and report the 
status to the user using some graphical notation (eg. icon of server with a big 
X if the server-cert is invalid or status unknown).

That's all for now. Will send more thoughts if any come up :)


> -----Original Message-----
> From: [mailto:owner-
>] On Behalf Of Ben Laurie
> Sent: Wednesday, August 05, 2009 9:59 AM
> To: Cryptography
> Subject: Client Certificate UI for Chrome?
> So, I've heard many complaints over the years about how the UI for
> client certificates sucks. Now's your chance to fix that problem -
> we're in the process of thinking about new client cert UI for Chrome,
> and welcome any input you might have. Obviously fully-baked proposals
> are more likely to get attention than vague suggestions.
> I imagine I may well hear "what about the UI around server
> certificates?" - fair enough, feel free, and I'll see what I can do.
> ---------------------------------------------------------------------
> The Cryptography Mailing List
> Unsubscribe by sending "unsubscribe cryptography" to

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to

Reply via email to