Michael Ströder wrote: >But I'm strictly against any service-specific branding in the GUI of a >PKI client. It should always look the same no matter which service is >accessed
Agreed. >Sure the UI for choosing the client cert could be improved, e.g. just by >displaying more informational attributes from the cert and the PKI >properly filling this attributes. Essentially you are saying that Information Cards is bad idea. I believe that they rather form a virtual counterpart to physical cards in a wallet. That this will forever keep the "uneducated masses" unaware of what PKI really is, is IMO a precondition for success since the PKI people themselves do not [generally] fully master PKI! In case you feel ready for yours truly's "PKI challenge", you could try outlining how *you* would in an Internet- scale deal with the problems mentioned in this document: http://web.telia.com/~u18116613/A.R.AppliedPKI-Lesson-1.pdf Naturally all these issues has been solved in a very nice fashion but NOT by PKI people because they simply do not understand IT, only cryptography. Please don't take it personal, you could be an exception :-) Yes, this is also highly related to TLS-client-cert-auth. Anders ----- Original Message ----- From: "Michael Ströder" <[EMAIL PROTECTED]> Newsgroups: mozilla.dev.tech.crypto To: <dev-tech-crypto@lists.mozilla.org> Sent: Friday, August 29, 2008 14:07 Subject: Re: The branding stuff. Was: TLS-client-cert-auth in .SE Anders Rundgren wrote: > It appears that the word "branding" in a PKI GUI sent > some bad vibes around but it is really about switching from > unintelligible textual data such as > > CN=John Smith, serialNumber=554544 > > to a card metaphor like you already use in the physical world; > not about annoying the user with Vista-like security pop-ups > that only security experts understand. Something along the > following lines http://informationcard.net is needed. > > Some people have "solved" this issue by making the PIN > dialog branded but that is usually done by assuming that > each card issuer has its own propriety driver. Sure the UI for choosing the client cert could be improved, e.g. just by displaying more informational attributes from the cert and the PKI properly filling this attributes. But I'm strictly against any service-specific branding in the GUI of a PKI client. It should always look the same no matter which service is accessed. Otherwise a user cannot learn how to do the right thing in general. And experience shows that designers do not have any technical understanding and will tend to overwhelm the user with dancing logos drawing the user's attention from the really important UI elements. I suspect that people asking for branding are also talking about sending something to the client which is then dynamically integrated into the UI (see the new hype AJAX). Given that even most banks do not get their simple web sites right to really prevent CSS attacks I'm strictly against such things. I'm scared that users are tricked. Period. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
