Having worked at a large CA for along time (trying to push for client-side
certs with little luck), here are some thoughts on what Chrome could provide:
(a) Association with net identities: Provide some way for the user to associate
his/her X.509 cert with an internet identity string (eg. OpenID, email
address, etc etc) in the browser. (Yes, we could add such an identity in the
SubjAltName, but that's outside the control of the end-user). This would allow
the user to choose which cert to deliver to the server when the user is
engaging the server using one of his/her identities.
(PS. being able to associate with a small image/icon/photo of the user would
also be nice).
The UI should be a simple as click cert and click identity, and then click
(b) Export of certs: Provide an easy way to export client-certs to other apps.
Currently some CAs use the browser as the primary means for cert enrollment.
Currently in IE this is somewhat a lengthy process and the response (ie. export
of cert successful or not) is also not very clear to the end-user.
The UI should not even talk about export. It should say something along the
lines of Do you want to make your certificate available to the following Apps.
(c) Lock showing which cert/identity used: It would be useful if in addition to
the Lock symbol (ie. SSL session established) there is a string (next to the
Lock symbol) showing which client-side cert the browser is using for that SSL
session. This is related to item (a) above, where a human-readable net identity
is associate with the cert.
This helps the user in distinguishing which identity he/she is using when
connecting to a Bank versus a Blog versus a corporate web-mail (all of which
could be using distinct cert/identity). If there is a mismatch, the user can
see this visually.
(d) Notification of expired certs: It would be good if the browser could
somehow notify the user if there are some expired certs (belonging to the user)
in the browser. I'm finding that some browsers deliver the first cert in the
list even when it has expired (thus causing the server to reject).
(e) Better notification/alerts of errors regarding server-certs: This is a
hard one as the average user (eg. my Mom) does not understand about certs to
begin with. Since one of the main aims of SSL server-certs today is to prevent
phishing, perhaps those messages should be phishing-oriented.
This one need further thought, but perhaps a third button/option could be
provided (in addition to the Cancel and Continue buttons). This third button
could provide the user with some alternate sites with similar sounding domain
names but with proven/valid server-certs.
(f) Better graphical representation of cert hierarchy: Perhaps not crucial, but
a nice graphical representation of the cert hierarchy/tree might help educate
the average user (my Mom/Dad) about what a CA is and where the user is located
in the hierarchy. This would even help the average employee when his/her
company is using a subordinate CA off a public CA.
When the user clicks on a node in the tree, it should show the organization
name and other human friendly details.
(g) Easy check button for server-certs: It would be great if I could
right-click the Lock symbol on the browser and be able to choose an action
along the lines of Validate Server Certificate. The browser would then hit
the corresponding OCSP Responder (as denoted in the server-cert) and report the
status to the user using some graphical notation (eg. icon of server with a big
X if the server-cert is invalid or status unknown).
That's all for now. Will send more thoughts if any come up :)
From: owner-cryptogra...@metzdowd.com [mailto:owner-
cryptogra...@metzdowd.com] On Behalf Of Ben Laurie
Sent: Wednesday, August 05, 2009 9:59 AM
Subject: Client Certificate UI for Chrome?
So, I've heard many complaints over the years about how the UI for
client certificates sucks. Now's your chance to fix that problem -
we're in the process of thinking about new client cert UI for Chrome,
and welcome any input you might have. Obviously fully-baked proposals
are more likely to get attention than vague suggestions.
I imagine I may well hear what about the UI around server
certificates? - fair enough, feel free, and I'll see what I can do.
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to
The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to majord...@metzdowd.com