On 26.03.2010 13:44, Gervase Markham wrote:
The basic idea is to show an indicator in chrome whenever a site asks
for client authentication, and give the user full control over using a
personal certificate for authentication (or not using one). The
interface should also support persistent configuration, per site. It
should be powerful enough to support complex sites and work with
appearing/disappearing certs which are stored on smartcards.
From reading the documents, it's clear that we do have a difficult
simplicity/power tradeoff to make here. In order to help make it, do we
have any statistics or ideas how common it is to have scenarios like:
- A page whose components and subcomponents together require auth using
more than one client certificate
- A page where the top level does not require a client certificate but
sub-parts do
In the previous explanations I proposed to always have the user go
through two clicks:
- clicks the icon
- gets a menu popup with a list of sites
- clicks the site name the user want to control
While this is powerful enough to handle any sites, it may be
unnecessarily complicated when dealing with simple scenarios, e.g. if
all content originates from a single host.
Here's a modification of that idea, let's consider a site that uses
three different hosts, www.site.com, subcontent.site.com, images.site.com
User clicks icon and we show this menu:
www.site.com (disabled menu item)
x Logged out
Authenticate using my Certificate...
--------------------------------------
Settings for additional sites...
(Whenever there is only a single site using client auth, we could hide
the "Settings for additional sites" menu item.)
If cou click the "Authentication for additional sites..."
we can open a sub-menu that lists the above for each site involved.
www.site.com (disabled menu item)
x Logged out
Authenticate using my Certificate...
--------------------------------------
Settings for additional sites... subcontent.site.com
x Logged out
Authenticate using...
-----------------------
images.site.com
x Logged out
Authenticate using...
-----------------------
....
-----------------------
....
-----------------------
More sites...
If the user authenticates using a certificate, we could show the
following menu:
www.site.com (disabled menu item)
Log out
x Authenticated (Kai Engert, StartCom Free Certificate Member)
Authenticate using a different Certificate...
--------------------------------------
Settings for additional sites...
In my earlier proposal I said we should use two separate icons,
and group the lists of "logged out" and "logged in" sites separately.
The above proposal combines both lists into a single list, and may be
easier to work with.
However, I still believe that we sometimes need to show two icons in
parallel, to indicate the "some logged in, some logged out" scenario.
Kai
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
