I have 2 certificates that can be used to authenticate to CMS's agent interface. I disabled the "Select Automatically" option, and now I am seeing a "User Identification Request" window when authenticating to CMS. The first section says: This site has requested that you identify yourself with a security certificate: pc614451.red.iplanet.com Orgnaization: "200107301xss" Issued Under: "200108301xss" The text is not clear that it is showing the certificate of the site. We may want to change it to: This site with the following identification ... ... requested that you identifiy with a security certificate: ... [Then the listbox of my certificates]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Target Milestone: --- → Future
cc'ing sean for wording changes. I know he prefers "certificate" instead of "security certificate".
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
Severity: normal → enhancement
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Mass change "Future" target milestone to "--" on bugs that now are assigned to nobody. Those targets reflected the prioritization of past PSM management. Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
Component: Security: UI → Security: UI
Product: PSM → Core
87 <!ENTITY clientAuthAsk.title "User Identification Request"> => "Please identify yourself" 88 <!ENTITY clientAuthAsk.message1 "This site has requested that you identify yourself with a certificate:"> => "Site requesting your identity:" 89 <!ENTITY clientAuthAsk.message2 "Choose a certificate to present as identification:"> => "Identity to present to server:" 90 <!ENTITY clientAuthAsk.message3 "Details of selected certificate:"> => "Details of this identity:"
Summary: need rewording for client authentication → Rephrase SSL Client Certificate challenge
Version: 1.0 Branch → Trunk
I'd also like to see the word "authentication" somewhere, like "For authentication purpose please identify yourself" or something along...
A certificate is not an identity. It bears an identity. It is a binding of an identity to a public key. There may be multiple eligible certificates bearing the same identity. In that situation, the user is not merely choosing an identity. He is choosing a certificate. So, it is appropriate to ask the user to choose a certificate.
Summary: Rephrase SSL Client Certificate challenge → Rephrase SSL Client Certificate selection dialog
I actually don't see a problem with any of the existing strings. Maybe the dialog title could be better, though I'd just drop the 'user' in that case. What are we trying to solve here? shorter?
Created attachment 329101 [details] [diff] [review] changes based on comments yes. the text is too long/wide and because of its arrangement, it confuses the reporter (and me).
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #329101 - Flags: review?(kaie)
Comment on attachment 329101 [details] [diff] [review] changes based on comments Most people don't understand the difference between client authentication and server authentication. The existing dialog is carefully worded to make it clear to such people that we're talking about the user, selecting a certificate that identifies the user, to present the user's identity to the server. This is all to carefully distinguish this, in the user's mind, from the far more common certs, which identify the server to the user. The proposed changes seem to eliminate all the wording that presents that careful distinction. I believe most users would be far more confused by the newly proposed text than by the old, and many would assume they are being asked to pick a server certificate, the only kind of certificate they understand. Ultimately, this is a UI change and requires approval of the UI deities, rather than being a mere code change.
Comment on attachment 329101 [details] [diff] [review] changes based on comments I agree with Nelson, I don't like this simplification.
Attachment #329101 - Flags: review?(kaie) → review-
I think the original comment requested a clarification. It complained about the very first sentence in that dialog (see attachment 328903 [details]). The dialog currently says This site has requested that you identify yourself with a certificate <hostname of site> <organization as listed in server cert> <Issuer organization of server cert> The proposal was to change this to: This site with the following identification <hostname of site> <organization as listed in server cert> <Issuer organization of server cert> requested that you identify with a security certificate: I would reword the original proposal and propose: The server at <hostname of site> which uses a certificate issued to <organization as listed in server cert> <Issuer organization of server cert> requested that you identify yourself with a personal certificate. Now this is problematic, because it would claim that the server has "identified itself". We don't say that currently. I focus on the word "identified". Given the recent hype around EV certificates and Larry, I think we have limited the term "identity" to EV certs. Therefore I propose a wording that avoids saying the server is identified, and keeps a simpler cert. Maybe we should simply replace the above with: The server at <hostname of site> requests that you identify yourself with a personal certificate.
If we wanted to clarify further we could change Choose a certificate to present as identification: to Choose a certificate to present as your identification: And we could change Details of this certificate: to Details of your personal certificate:
Comment on attachment 329101 [details] [diff] [review] changes based on comments timeles, btw, when significantly changing strings it is necessary to change the string identifier, too. This ensures that localizers will notice the change.
If we really stopped showing the organization name, it could be seen as a regression. We'd have to offer a "view server cert" button to make up for that regression.
Lately, there have been a number of comments from users in bugs making it very clear that, despite the careful wording of this dialog, the presence of SO MUCH information about the server in the dialog makes the user think that he is being asked to pick a certificate that identifies the server. Users seem to actually think they are being asked to pick one cert of many that identify the server, and are frustrated when they don't find any cert that names the server in the drop down list of certs from which they can choose. So, Anything we can do to make it crystal clear that the server is requesting the user to authenticate HIMSELF, and is NOT asking the user to choose a cert that identifies the server, should help. I think it is not necessary to present so much info about the server's cert to the user, because this dialog is NOT about identifying the server. Presumably, the server identification is already done by the time the user sees this dialog. But if people oppose reducing it, then I'd suggest reordering that dialog to say something like this: > The server identified as: > Host: (hostname) > Organization: (orgname) > has requested that you identify yourself to it with a certificate that > has your name in it. Please choose a certificate that identifies you > from the list below, or click cancel if you do not wish to identify > yourself to the server with a certificate.
For an example of this confusion, see comments 28-37 of bug 313012.
+<!ENTITY clientAuthAsk.title "Certificate Request"> +<!ENTITY clientAuthAsk.message1 "Site requesting you to authenticate:"> +<!ENTITY clientAuthAsk.message2 "Your certificate:"> +<!ENTITY clientAuthAsk.message3 "Details of your certificate:"> kaie: renaming labels shouldn't be done until you can figure out what you want to say. i'm aware of the need to flag things. but the goal is to give people something to play w/ first.
Component: Security: UI → Security: PSM
Whiteboard: [psm-auth] → [psm-auth][psm-clientauth]
You need to log in before you can comment on or make changes to this bug.