Walter Reynolds wrote:
The problem is that you have the user validate the cart. A hacker could provide another cert at a later time and a user, being used to having to accept a cert, may just click it. What we want to do is avoid that.
I very much understand the usability concerns here. The way to work around that, though, is to go ahead and set your certificate to be automatically accepted once validated. This way, if the user is presented with a popup later, they aren't tempted to click without checking. Just the presence of the popup should cause them to take notice and second-guess the validity.
This still allows the availability of users accepting other certs. All this will do is allow the cart we "Always accept" to work of EAP authentication. It will not prevent other certificates from working.
No, but with a small amount of user education, it will cause them to take notice if they're asked to authorize something.
I agree that the exposure is somewhat limited, but it replies on users not only setting up the certificate and accepting them, but also to know not to accept others which I am not sure they will do.
I would argue that we should be continually educating our users to not blindly accept popups of any type...
--Mike ********** Participation and subscription information for this EDUCAUSE Constituent Group discussion list can be found at http://www.educause.edu/groups/.
