- From: Anders Rundgren <anders.rundgren.net@gmail.com>
- Date: Wed, 9 Mar 2016 11:46:23 +0100
- To: Crispin Cowan <crispin@microsoft.com>, "timeless@gmail.com" <timeless@gmail.com>, Mitar <mmitar@gmail.com>
- Cc: "public-webappsec@w3.org" <public-webappsec@w3.org>
Since - Microsoft's "Edge" browser doesn't support Web enrollment of certificates - the other browser vendors are publicly considering dropping support for <keygen> - smart cards have never worked particularly well in consumer computers - practically all eID schemes have already take on other ways dealing with the Web this discussion is purely hypothetical. Anders On 2016-03-08 23:38, Crispin Cowan wrote: > Agreed. I have a ton of evidence from the doubleclick misadventure I described in the previous thread that users have no clue that they have certs, and have no clue when they have multiple certs. > > Users do NOT understand certs. Do not ask them questions about certs[*]. Ask them in-context questions about nouns and verbs that they are familiar with, e.g. "Do you authorize paying $Foo to <Bar> for product <Baz>?" > > [*] It is fine to provide a UX intended for experts to inspect and manipulate certs to their heart's content. But that does not address secure end-user consent scenarios. > > -----Original Message----- > From: timeless.bmo1@gmail.com [mailto:timeless.bmo1@gmail.com] On Behalf Of timeless > Sent: Tuesday, March 8, 2016 2:34 PM > To: Mitar <mmitar@gmail.com> > Cc: Crispin Cowan <crispin@microsoft.com>; public-webappsec@w3.org > Subject: Re: Alternative proposal for the form signing using client-certificate > > On Mon, Mar 7, 2016 at 3:13 AM, Mitar <mmitar@gmail.com> wrote: >> Also, users who have client-certs know that they have them. > False.
Received on Wednesday, 9 March 2016 10:47:26 UTC