As a user who's technically-competent in general, but has little-to-no
knowledge about the kind of security you're trying to achieve here,
allow me to make some points. Consider this "user feedback", by all means.
Bob Lord wrote:
>
> Almost all of them are present in
> Communicator and IE.
I use Communicator. I don't remember all that stuff.
> I'm not sure what you mean by the Security Manager. Do you mean the
> Certificate Manager?
The what?
I've only seen a certificate used once in all my time on the web.. and
that was for something stupid. (Downloading a piece of software, IIRC.)
I have yet to understand what use these are to anybody, or why they're
apparently given out free to everyone who downloads a browser; what good
is a lock if everyone has the key?
> Or are you advocating a combined design like the
> Security Advisor in Communicator?
The what?
> Does that mean that you cannot get
> or view your personal certs with Mac IE, can't see CA certs, for
> example?
Huh?
> The Device Manager is the way you manage and troubleshoot your smart
> cards...
Huh?
> ...and other similar tokens.
Similar whats?
> When things are working correctly with
> your smart card, you don't need to go here. If things are not working
> correctly, however, you'll need to a way to see which modules are
> loaded, and which tokens are present.
What on earth are you talking about?
> It's possible that the hardware drivers are not loaded correctly.
Hardware drivers? For what? Mozilla is a piece of software, not a
peripheral. Why does it need hardware drivers? Shouldn't the OS be
handling all of that?
> Different token manufacturers build in different capabilities into their
> tokens and drivers. There are some operations which the token must
> perform in order for the function to work (like in the case where the
> keys are stored on the token) or to conform to certain standards.
Greek to me, pal. I don't know who these people are who use this stuff,
but it sure as hell isn't me, and it isn't anyone I know.
> You might want to turn off TLS if you encounter a web site that is
> "TLS intolerant".
I have some idea what SSL is, but WTF is TLS? How would I know if a site
is "TLS intolerant", anyway?
> Users choose weak passwords. But unless they get feedback on what's
> "worse" and what's "better", they're not going to improve the quality of
> their passwords.
Finally, something in English. But this is silly; anyone who'd be
messing with this much security stuff in the first place surely knows
what kind of passwords to choose. If it's really that important for the
rest of us to know that "j13DnF0pPW6" is a better password than "cat",
then put it in the documentation, or just say so in the dialog.
What? People don't read documentation? Well, surely that's their
problem. RTFM, yes?
That's a hell of a lot better than some kind of weird puzzle game, which
is apparently what you have now.
> You would want to turn off a cipher if some clever math wiz was able to
> find a flaw with it. This does happen from time to time. You might also
> want to turn off the low-grade encryption ciphers to make sure you're
> only using the high-grade crypto.
Shouldn't the high-grade crypto stuff be on by default, and transparent
to the user?
-Xplo
