RE: Client Certificate UI for Chrome?

2009-08-12 Thread Thomas Hardjono

 From: James A. Donald []
 Sent: Sunday, August 09, 2009 1:21 AM
 To: Thomas Hardjono
 Cc: Ben Laurie; Cryptography
 Subject: Re: Client Certificate UI for Chrome?

 Thomas Hardjono wrote:
   In this UI discussion, I think its less relevant
   whether trust is hierarchical or flat/p2p.

 The hard part is always certificate management, which
 has to be launched off existing trust and connections.

 So the question is, do we have certificate management
 that assumes that everyone has boundless trust in
 Verisign, and no trust in existing connections and
 existing shared knowledge, or do we have certificate
 management designed make use of any existing
 connections, trust, and shared knowledge, wherever it is
 to be found?


Agree. Unfortunately (or fortunately) some browsers have
shipped with root CA certs for a number of years
 now, which does force the end-user to trust the CA.
This has been great for sales of SSL certs for VeriSign
and other CAs but there is still that fundamental problem
of educating the average user (Mom/Dad) about equating
trust with certs (or root CA certs).=20

I'm not sure if the Chrome folks would be prepared
to ship their browser without any CA certs loaded,
but that would be an interesting and perhaps even revolutionary idea.
Assuming the Chrome UI had a nice and easy way for users
to download and install certs (trust anchors), this
approach could level the playing field and allows
other modes of trust to be played-out.
Both LinkedIn and FaceBook could in fact be CAs
that issue certs based on the number of verified
connections that a person had.


The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to

RE: Client Certificate UI for Chrome?

2009-08-06 Thread Thomas Hardjono

Having worked at a large CA for along time (trying to push for client-side 
certs with little luck), here are some thoughts on what Chrome could provide:

(a) Association with net identities: Provide some way for the user to associate 
his/her X.509 cert with an internet identity string (eg. OpenID, email 
address, etc etc) in the browser. (Yes, we could add such an identity in the 
SubjAltName, but that's outside the control of the end-user). This would allow 
the user to choose which cert to deliver to the server when the user is 
engaging the server using one of his/her identities. 

(PS. being able to associate with a small image/icon/photo of the user would 
also be nice).

The UI should be a simple as click cert and click identity, and then click 

(b) Export of certs: Provide an easy way to export client-certs to other apps.  
Currently some CAs use the browser as the primary means for cert enrollment. 
Currently in IE this is somewhat a lengthy process and the response (ie. export 
of cert successful or not) is also not very clear to the end-user.

The UI should not even talk about export. It should say something along the 
lines of Do you want to make your certificate available to the following Apps.

(c) Lock showing which cert/identity used: It would be useful if in addition to 
the Lock symbol (ie. SSL session established) there is a string (next to the 
Lock symbol) showing which client-side cert the browser is using for that SSL 
session. This is related to item (a) above, where a human-readable net identity 
is associate with the cert.

This helps the user in distinguishing which identity he/she is using when 
connecting to a Bank versus a Blog versus a corporate web-mail (all of which 
could be using distinct cert/identity). If there is a mismatch, the user can 
see this visually.

(d) Notification of expired certs:  It would be good if the browser could 
somehow notify the user if there are some expired certs (belonging to the user) 
in the browser. I'm finding that some browsers deliver the first cert in the 
list even when it has expired (thus causing the server to reject).

(e) Better notification/alerts of errors regarding server-certs:  This is a 
hard one as the average user (eg. my Mom) does not understand about certs to 
begin with. Since one of the main aims of SSL server-certs today is to prevent 
phishing, perhaps those messages should be phishing-oriented.

This one need further thought, but perhaps a third button/option could be 
provided (in addition to the Cancel and Continue buttons). This third button 
could provide the user with some alternate sites with similar sounding domain 
names but with proven/valid server-certs.

(f) Better graphical representation of cert hierarchy: Perhaps not crucial, but 
a nice graphical representation of the cert hierarchy/tree might help educate 
the average user (my Mom/Dad) about what a CA is and where the user is located 
in the hierarchy. This would even help the average employee when his/her 
company is using a subordinate CA off a public CA.

When the user clicks on a node in the tree, it should show the organization 
name and other human friendly details.

(g) Easy check button for server-certs: It would be great if I could 
right-click the Lock symbol on the browser and be able to choose an action 
along the lines of Validate Server Certificate. The browser would then hit 
the corresponding OCSP Responder (as denoted in the server-cert) and report the 
status to the user using some graphical notation (eg. icon of server with a big 
X if the server-cert is invalid or status unknown).

That's all for now. Will send more thoughts if any come up :)


 -Original Message-
 From: [mailto:owner-] On Behalf Of Ben Laurie
 Sent: Wednesday, August 05, 2009 9:59 AM
 To: Cryptography
 Subject: Client Certificate UI for Chrome?
 So, I've heard many complaints over the years about how the UI for
 client certificates sucks. Now's your chance to fix that problem -
 we're in the process of thinking about new client cert UI for Chrome,
 and welcome any input you might have. Obviously fully-baked proposals
 are more likely to get attention than vague suggestions.
 I imagine I may well hear what about the UI around server
 certificates? - fair enough, feel free, and I'll see what I can do.
 The Cryptography Mailing List
 Unsubscribe by sending unsubscribe cryptography to

The Cryptography Mailing List
Unsubscribe by sending unsubscribe cryptography to