Ben, Having worked at a large CA for along time (trying to push for client-side certs with little luck), here are some thoughts on what Chrome could provide:
(a) Association with net identities: Provide some way for the user to associate his/her X.509 cert with an "internet identity" string (eg. OpenID, email address, etc etc) in the browser. (Yes, we could add such an identity in the SubjAltName, but that's outside the control of the end-user). This would allow the user to choose which cert to deliver to the server when the user is engaging the server using one of his/her identities. (PS. being able to associate with a small image/icon/photo of the user would also be nice). The UI should be a simple as click cert and click identity, and then click associate. (b) Export of certs: Provide an easy way to export client-certs to other apps. Currently some CAs use the browser as the primary means for cert enrollment. Currently in IE this is somewhat a lengthy process and the response (ie. export of cert successful or not) is also not very clear to the end-user. The UI should not even talk about "export". It should say something along the lines of "Do you want to make your certificate available to the following Apps". (c) Lock showing which cert/identity used: It would be useful if in addition to the Lock symbol (ie. SSL session established) there is a string (next to the Lock symbol) showing which client-side cert the browser is using for that SSL session. This is related to item (a) above, where a human-readable net identity is associate with the cert. This helps the user in distinguishing which identity he/she is using when connecting to a Bank versus a Blog versus a corporate web-mail (all of which could be using distinct cert/identity). If there is a mismatch, the user can see this visually. (d) Notification of expired certs: It would be good if the browser could somehow notify the user if there are some expired certs (belonging to the user) in the browser. I'm finding that some browsers deliver the first cert in the list even when it has expired (thus causing the server to reject). (e) Better notification/alerts of errors regarding server-certs: This is a hard one as the average user (eg. my Mom) does not understand about certs to begin with. Since one of the main aims of SSL server-certs today is to prevent phishing, perhaps those messages should be "phishing-oriented". This one need further thought, but perhaps a third button/option could be provided (in addition to the Cancel and Continue buttons). This third button could provide the user with some alternate sites with similar sounding domain names but with proven/valid server-certs. (f) Better graphical representation of cert hierarchy: Perhaps not crucial, but a nice graphical representation of the cert hierarchy/tree might help educate the average user (my Mom/Dad) about what a CA is and where the user is located in the hierarchy. This would even help the average employee when his/her company is using a subordinate CA off a public CA. When the user clicks on a node in the tree, it should show the organization name and other human friendly details. (g) Easy check button for server-certs: It would be great if I could right-click the Lock symbol on the browser and be able to choose an action along the lines of "Validate Server Certificate". The browser would then hit the corresponding OCSP Responder (as denoted in the server-cert) and report the status to the user using some graphical notation (eg. icon of server with a big X if the server-cert is invalid or status unknown). That's all for now. Will send more thoughts if any come up :) /thomas/ > -----Original Message----- > From: owner-cryptogra...@metzdowd.com [mailto:owner- > cryptogra...@metzdowd.com] On Behalf Of Ben Laurie > Sent: Wednesday, August 05, 2009 9:59 AM > To: Cryptography > Subject: Client Certificate UI for Chrome? > > So, I've heard many complaints over the years about how the UI for > client certificates sucks. Now's your chance to fix that problem - > we're in the process of thinking about new client cert UI for Chrome, > and welcome any input you might have. Obviously fully-baked proposals > are more likely to get attention than vague suggestions. > > I imagine I may well hear "what about the UI around server > certificates?" - fair enough, feel free, and I'll see what I can do. > > --------------------------------------------------------------------- > The Cryptography Mailing List > Unsubscribe by sending "unsubscribe cryptography" to > majord...@metzdowd.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com
