W3C home > Mailing lists > Public > public-webappsec@w3.org > March 2016

Re: Alternative proposal for the form signing using client-certificate

From: Anders Rundgren <anders.rundgren.net@gmail.com>
Date: Wed, 9 Mar 2016 11:46:23 +0100
To: Crispin Cowan <crispin@microsoft.com>, "timeless@gmail.com" <timeless@gmail.com>, Mitar <mmitar@gmail.com>
Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Message-ID: <56DFFEFF.2@gmail.com>

- Microsoft's "Edge" browser doesn't support Web enrollment of certificates
- the other browser vendors are publicly considering dropping support for <keygen>
- smart cards have never worked particularly well in consumer computers
- practically all eID schemes have already take on other ways dealing with the Web

this discussion is purely hypothetical.


On 2016-03-08 23:38, Crispin Cowan wrote:
> Agreed. I have a ton of evidence from the doubleclick misadventure I described in the previous thread that users have no clue that they have certs, and have no clue when they have multiple certs.
> Users do NOT understand certs. Do not ask them questions about certs[*]. Ask them in-context questions about nouns and verbs that they are familiar with, e.g. "Do you authorize paying $Foo to <Bar> for product <Baz>?"
> [*] It is fine to provide a UX intended for experts to inspect and manipulate certs to their heart's content. But that does not address secure end-user consent scenarios.
> -----Original Message-----
> From: timeless.bmo1@gmail.com [mailto:timeless.bmo1@gmail.com] On Behalf Of timeless
> Sent: Tuesday, March 8, 2016 2:34 PM
> To: Mitar <mmitar@gmail.com>
> Cc: Crispin Cowan <crispin@microsoft.com>; public-webappsec@w3.org
> Subject: Re: Alternative proposal for the form signing using client-certificate
> On Mon, Mar 7, 2016 at 3:13 AM, Mitar <mmitar@gmail.com> wrote:
>> Also, users who have client-certs know that they have them.
> False.
Received on Wednesday, 9 March 2016 10:47:26 UTC

This archive was generated by hypermail 2.4.0 : Friday, 17 January 2020 18:54:55 UTC