Jennifer Glick wrote:
> In response to the original posting, Mail Security Spec
> <news://news.mozilla.org/3BE067D8.E521F3E9%40netscape.com>, some
> alternative ideas are posted here:
> http://www.mozilla.org/mailnews/specs/security/Options.html
Let me think out loud about Option 3 (with the Security icon in the
Taskbar) to shake out some assumptions. Please bear with me, and let me
know where my assumptions don't match yours.
**The Security Icon**
Display:
The security icon behaves as it did in Communicator. That means it
represents the *goal* of the user (regardless of the client's ability to
meet those goals). It has these states:
1. Unlocked, meaning no encryption and no signature. This is
the factory default for the product.
2. Unlocked with a luggage tag, meaning signed but not encrypted.
3. Locked with no luggage tag, meaning encrypted but not signed.
4. Locked with a luggage tag, meaning encrypted and signed.
Mouseover:
For each of the above icon states, the client will display the following
tooltips:
1. This message will not be signed or encrypted. Click to
change these settings.
2. This message will be signed, but not encrypted. Click to
change these settings.
3. This message will be encrypted, but not signed. Click to
change these settings.
4. This message will be signed and encrypted. Click to
change these settings.
Clicking:
When users click on the lock icon, they'll get a popup menu item with
these elements:
-Don't Encrypt this message
-Encrypt this message if possible
-Encrypt this message
---------------------------------
-Sign this message
If the user selects "Sign this message" and has not established a
signing cert from the prefs menu, he'll get a warning that says
something like "You are trying to sign this message, but you have not
selected a default signing certificate. [OK] [[Tell me more]]". The
client will not leave the user hanging, but will direct him in the hopes
that he can complete his intended task.
If the user selects "Encrypt this message if possible", the client will
show the "UNlocked" icon even though his intent is to encrypt some of
the time. This configuration prevents users from thinking all their
email is secure when in fact most of it is not.
**Status Bar**
Display:
The Pen and Padlock icons are always present. In the base case (no
S/MIME), the pen is broken (or somehow shown to be not activated) and
the padlock is open. These icons represent the state of the message.
Highlights include:
- If the user has selected the "Sign this message" option from the
lock icon in the Taskbar and has correctly selected a signing cert
in the prefs window, the pen will be solid.
- If the user has selected "Encrypt this message" from the lock
icon in the Taskbar, and he has *all* the required certs, the
Status Bar lock icon will be in the "locked" state. Otherwise it
will remain in the "unlocked" state since the message cannot be
sent encrypted. Also, the Send button will be disabled until
all certs are present.
- If the user has selected "Encrypt this message if possible" from
the lock icon in the Taskbar, and he has *all* the required certs,
the Status Bar lock icon will be in the "locked" state. Otherwise it
will remain in the "unlocked" state since the message cannot be
sent encrypted. Since this is the "if possible" variation, the
Send button will never be deactivated.
Mouseover:
When you mouseover the pen icon, you'll see one of these tooltips:
- This message will be sent unsigned. Click to get more information.
- This message will be signed by "Robert Lord's AOL
Intranet" certificate. Click to get more information.
When you mouseover the lock icon, you'll see one of these tooltips:
- This message will be sent unencrypted. Click to get
more information.
- This message will be sent encrypted. Click to get more information.
Clicking:
Clicking on the pen or padlock icons will open a (yet to be defined
window) that:
1. Shows which cert you are using, if any, to sign this email. It
allows you to select a different cert than your default cert for this
message only.
2. Shows which cipher and keylength, if any, will be used.
3. Allows you to set any of the Sign or Encrypt settings available
in the Security button in the Taskbar.
4. Can send to you help pages, perhaps including pages of Public CAs.
**Addressing fields**
Display:
When you elect to "Encrypt this message" or to "Encrypt this message if
possible", you'll see icons to the left (right?) of each email address
indicating either a "certificate icon", or a "missing certificate" icon.
Non S/MIME users will so no such certificate icons.
Mouseover:
When you mouseover the certificate icon, you'll see one of these two
tooltips:
- You have a certificate for this recipient on file. Click to
get more information.
- You do not have a certificate for this recipient on file. Click
to get more information.
Clicking:
When you click on a certificate icon, you'll get a window that tells you
about the cert if it's available (probably by just opening the existing
Certificate Viewer window), or tells you that you still need to obtain
that cert. Perhaps that window can help you learn about the ways you
can get the recipient's cert.
Pros:
-S/MIME is very discoverable
-Leverages S/MIME UI in Communicator, but is more task based. (No more
dead-ends!)
-Allows you to select certs on a per-message basis.
Cons:
1. The client will tell the user how the message will be sent by setting
an icon in the taskbar rather than on the Send button. Users are more
likely to notice changes on or near the Send button. In fact, the
status of the encryption for this message couldn't be any further away
from the Send button (the are at opposite ends of the window). This
change probably impacts users who select the "Encrypt if possible"
default more than users who select "Encrypt". A user who might be
willing to go fetch one last recipient's cert might not see the unlocked
icon in the Status Bar and send the message unencrypted. That's not
such a terribly thing (that's why there's a pref), but it does seem that
the connecting the Send button with the encryption status would be helpful.
2. The lock icon does not really represent the notion of "Encrypt if
possible" very well. I personally will select "Encrypt if possible", as
will many corporate deployments. This area may need more thinking.
--
Bob Lord
Director, Security Engineering
Netscape Communications Corp.
http://www.mozilla.org/projects/security/pki/
