The branding stuff. Was: TLS-client-cert-auth in .SE

It appears that the word "branding" in a PKI GUI sent
some bad vibes around but it is really about switching from
unintelligible textual data such as

CN=John Smith, serialNumber=554544

to a card metaphor like you already use in the physical world;
not about annoying the user with Vista-like security pop-ups
that only security experts understand.  Something along the
following lines http://informationcard.net is needed.

Some people have "solved" this issue by making the PIN
dialog branded but that is usually done by assuming that
each card issuer has its own propriety driver.

Anders
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@...
https://lists.mozilla.org/listinfo/dev-tech-crypto

Anders Rundgren wrote:
Sure the UI for choosing the client cert could be improved, e.g. just by
displaying more informational attributes from the cert and the PKI
properly filling this attributes.

But I'm strictly against any service-specific branding in the GUI of a
PKI client. It should always look the same no matter which service is
accessed. Otherwise a user cannot learn how to do the right thing in
general. And experience shows that designers do not have any technical
understanding and will tend to overwhelm the user with dancing logos
drawing the user's attention from the really important UI elements.

I suspect that people asking for branding are also talking about sending
something to the client which is then dynamically integrated into the UI
(see the new hype AJAX). Given that even most banks do not get their
simple web sites right to really prevent CSS attacks I'm strictly
against such things.

I'm scared that users are tricked. Period.

Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@...
https://lists.mozilla.org/listinfo/dev-tech-crypto

Michael Ströder wrote:

>But I'm strictly against any service-specific branding in the GUI of a
>PKI client. It should always look the same no matter which service is
>accessed

Agreed.

>Sure the UI for choosing the client cert could be improved, e.g. just by
>displaying more informational attributes from the cert and the PKI
>properly filling this attributes.

Essentially you are saying that Information Cards is bad idea.
I believe that they rather form a virtual counterpart to physical
cards in a wallet.

That this will forever keep the "uneducated masses" unaware
of what PKI really is, is IMO a precondition for success since
the PKI people themselves do not [generally] fully master PKI!

In case you feel ready for yours truly's "PKI challenge",
you could try outlining how *you* would in an Internet-
scale deal with the problems mentioned in this document:
http://web.telia.com/~u18116613/A.R.AppliedPKI-Lesson-1.pdf
Naturally all these issues has been solved in a very nice fashion
but NOT by PKI people because they simply do not understand
IT, only cryptography.

Please don't take it personal, you could be an exception :-)

Yes, this is also highly related to TLS-client-cert-auth.

Anders


----- Original Message -----
From: "Michael Ströder" <michael@...>
Newsgroups: mozilla.dev.tech.crypto
To: <dev-tech-crypto@...>
Sent: Friday, August 29, 2008 14:07
Subject: Re: The branding stuff. Was: TLS-client-cert-auth in .SE


Anders Rundgren wrote:
Sure the UI for choosing the client cert could be improved, e.g. just by
displaying more informational attributes from the cert and the PKI
properly filling this attributes.

But I'm strictly against any service-specific branding in the GUI of a
PKI client. It should always look the same no matter which service is
accessed. Otherwise a user cannot learn how to do the right thing in
general. And experience shows that designers do not have any technical
understanding and will tend to overwhelm the user with dancing logos
drawing the user's attention from the really important UI elements.

I suspect that people asking for branding are also talking about sending
something to the client which is then dynamically integrated into the UI
(see the new hype AJAX). Given that even most banks do not get their
simple web sites right to really prevent CSS attacks I'm strictly
against such things.

I'm scared that users are tricked. Period.

Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@...
https://lists.mozilla.org/listinfo/dev-tech-crypto

_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@...
https://lists.mozilla.org/listinfo/dev-tech-crypto

Anders Rundgren wrote:
> Michael Ströder wrote:
>> Sure the UI for choosing the client cert could be improved, e.g. just by
>> displaying more informational attributes from the cert and the PKI
>> properly filling this attributes.
>
> Essentially you are saying that Information Cards is bad idea.

I didn't say anything like this about Information Cards.

> I believe that they rather form a virtual counterpart to physical
> cards in a wallet.

Frankly I don't know much about it.

> In case you feel ready for yours truly's "PKI challenge",
> you could try outlining how *you* would in an Internet-
> scale deal with the problems mentioned in this document:
> http://web.telia.com/~u18116613/A.R.AppliedPKI-Lesson-1.pdf
> Naturally all these issues has been solved in a very nice fashion
> but NOT by PKI people because they simply do not understand
> IT, only cryptography.

Frankly I don't know very much about the maths of cryptography. But I do
understand a lot about making things work in the real world (including
teaching users). And that's the reason why I'm staying out of making any
general claims in this "Internet-scale" scope.

But again the argument that the lack of branding options hinders SSL/TLS
client authc to be used is really moot. And given how many web designers
and marketing people render web sites/applications to be
unusable/insecure for end-users I'm strictly against giving them any
possibility to muck around with security-related UI parts in browsers
(or other software).

> Please don't take it personal, you could be an exception :-)

Being in Usenet since '93 my protective clothing is pretty thick. ;-)

Ciao, Michael.
_______________________________________________
dev-tech-crypto mailing list
dev-tech-crypto@...
https://lists.mozilla.org/listinfo/dev-tech-crypto