W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

RE: Alternative proposal for the form signing using client-certificate

From: Crispin Cowan <crispin@microsoft.com>
Date: Tue, 8 Mar 2016 22:38:59 +0000
To: "timeless@gmail.com" <timeless@gmail.com>, Mitar <mmitar@gmail.com>
CC: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <BN3PR0301MB1220638421EE2C6F8AA874C5BDB20@BN3PR0301MB1220.namprd03.prod.outlook.com>
Agreed. I have a ton of evidence from the doubleclick misadventure I described in the previous thread that users have no clue that they have certs, and have no clue when they have multiple certs.

Users do NOT understand certs. Do not ask them questions about certs[*]. Ask them in-context questions about nouns and verbs that they are familiar with, e.g. "Do you authorize paying $Foo to <Bar> for product <Baz>?"

[*] It is fine to provide a UX intended for experts to inspect and manipulate certs to their heart's content. But that does not address secure end-user consent scenarios.

-----Original Message-----
From: timeless.bmo1@gmail.com [mailto:timeless.bmo1@gmail.com] On Behalf Of timeless
Sent: Tuesday, March 8, 2016 2:34 PM
To: Mitar <mmitar@gmail.com>
Cc: Crispin Cowan <crispin@microsoft.com>; public-webappsec@w3.org
Subject: Re: Alternative proposal for the form signing using client-certificate

On Mon, Mar 7, 2016 at 3:13 AM, Mitar <mmitar@gmail.com> wrote:
>
> Also, users who have client-certs know that they have them.

False.
Received on Tuesday, 8 March 2016 22:39:32 UTC

This archive was generated by hypermail 2.3.1 : Monday, 23 October 2017 14:54:18 UTC