Re: Alternative proposal for the form signing using client-certificate


- Microsoft's "Edge" browser doesn't support Web enrollment of certificates
- the other browser vendors are publicly considering dropping support for <keygen>
- smart cards have never worked particularly well in consumer computers
- practically all eID schemes have already take on other ways dealing with the Web

this discussion is purely hypothetical.


On 2016-03-08 23:38, Crispin Cowan wrote:
> Agreed. I have a ton of evidence from the doubleclick misadventure I described in the previous thread that users have no clue that they have certs, and have no clue when they have multiple certs.
> Users do NOT understand certs. Do not ask them questions about certs[*]. Ask them in-context questions about nouns and verbs that they are familiar with, e.g. "Do you authorize paying $Foo to <Bar> for product <Baz>?"
> [*] It is fine to provide a UX intended for experts to inspect and manipulate certs to their heart's content. But that does not address secure end-user consent scenarios.
> -----Original Message-----
> From: [] On Behalf Of timeless
> Sent: Tuesday, March 8, 2016 2:34 PM
> To: Mitar <>
> Cc: Crispin Cowan <>;
> Subject: Re: Alternative proposal for the form signing using client-certificate
> On Mon, Mar 7, 2016 at 3:13 AM, Mitar <> wrote:
>> Also, users who have client-certs know that they have them.
> False.

Received on Wednesday, 9 March 2016 10:47:26 UTC