Rephrase SSL Client Certificate selection dialog

ASSIGNED
Assigned to

Status

()

P3
enhancement
ASSIGNED
18 years ago
2 years ago

People

(Reporter: thomask, Assigned: timeless)

Tracking

(Blocks: 1 bug)

Trunk
x86
Windows 2000
Points:
---

Firefox Tracking Flags

(Not tracked)

Details

(Whiteboard: [psm-auth][psm-clientauth])

Attachments

(2 attachments)

(Reporter)

Description

18 years ago
I have 2 certificates that can be used to authenticate to CMS's agent interface. 
I disabled the "Select Automatically" option, and now I am seeing a "User 
Identification Request" window when authenticating to CMS.

The first section says:

This site has requested that you identify yourself with a security certificate:

pc614451.red.iplanet.com
Orgnaization: "200107301xss"
Issued Under: "200108301xss"

The text is not clear that it is showing the certificate of the site. We may 
want to change it to:

This site with the following identification

 ...
 ...

requested that you identifiy with a security certificate:

 ... [Then the listbox of my certificates]

Updated

18 years ago
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Target Milestone: --- → Future

Comment 1

18 years ago
cc'ing sean for wording changes. I know he prefers "certificate" instead 
of "security certificate".

Comment 2

18 years ago
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer

Updated

17 years ago
QA Contact: ckritzer → junruh

Comment 3

17 years ago
Enhancement.
Severity: normal → enhancement

Comment 4

15 years ago
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Mass change "Future" target milestone to "--" on bugs that now are assigned to
nobody.  Those targets reflected the prioritization of past PSM management.
Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
(Assignee)

Updated

14 years ago
Component: Security: UI → Security: UI
Product: PSM → Core
QA Contact: junruh → ui
(Assignee)

Updated

10 years ago
Version: psm2.0 → 1.0 Branch
(Assignee)

Comment 6

10 years ago
Created attachment 328903 [details]
picture
(Assignee)

Comment 7

10 years ago
87 <!ENTITY clientAuthAsk.title "User Identification Request">

=> "Please identify yourself"

88 <!ENTITY clientAuthAsk.message1 "This site has requested that you identify yourself with a certificate:">

=> "Site requesting your identity:"

89 <!ENTITY clientAuthAsk.message2 "Choose a certificate to present as identification:">

=> "Identity to present to server:"

90 <!ENTITY clientAuthAsk.message3 "Details of selected certificate:">

=> "Details of this identity:"
Summary: need rewording for client authentication → Rephrase SSL Client Certificate challenge
Version: 1.0 Branch → Trunk

Comment 8

10 years ago
I'd also like to see the word "authentication" somewhere, like "For authentication purpose please identify yourself" or something along...
A certificate is not an identity.  It bears an identity.  
It is a binding of an identity to a public key. 
There may be multiple eligible certificates bearing the same identity.
In that situation, the user is not merely choosing an identity.
He is choosing a certificate.  So, it is appropriate to ask the user to 
choose a certificate.
Summary: Rephrase SSL Client Certificate challenge → Rephrase SSL Client Certificate selection dialog
I actually don't see a problem with any of the existing strings. Maybe the dialog title could be better, though I'd just drop the 'user' in that case.

What are we trying to solve here? shorter?
(Assignee)

Comment 11

10 years ago
Created attachment 329101 [details] [diff] [review]
changes based on comments

yes. the text is too long/wide and because of its arrangement, it confuses the reporter (and me).
Assignee: nobody → timeless
Status: NEW → ASSIGNED
Attachment #329101 - Flags: review?(kaie)
Comment on attachment 329101 [details] [diff] [review]
changes based on comments

Most people don't understand the difference between client authentication
and server authentication.  The existing dialog is carefully worded to make
it clear to such people that we're talking about the user, selecting a 
certificate that identifies the user, to present the user's identity to 
the server.  This is all to carefully distinguish this, in the user's mind,
from the far more common certs, which identify the server to the user.

The proposed changes seem to eliminate all the wording that presents that
careful distinction.  I believe most users would be far more confused by 
the newly proposed text than by the old, and many would assume they are 
being asked to pick a server certificate, the only kind of certificate
they understand.

Ultimately, this is a UI change and requires approval of the UI deities,
rather than being a mere code change.
Attachment #329101 - Flags: ui-review?(johnath)
Comment on attachment 329101 [details] [diff] [review]
changes based on comments

I agree with Nelson, I don't like this simplification.
Attachment #329101 - Flags: review?(kaie) → review-
I think the original comment requested a clarification.

It complained about the very first sentence in that dialog (see attachment 328903 [details]).

The dialog currently says
  This site has requested that you identify yourself with a certificate
  <hostname of site>
  <organization as listed in server cert>
  <Issuer organization of server cert>


The proposal was to change this to:
  This site with the following identification
  <hostname of site>
  <organization as listed in server cert>
  <Issuer organization of server cert>
  requested that you identify with a security certificate:


I would reword the original proposal and propose:
  The server at <hostname of site> 
  which uses a certificate issued to
  <organization as listed in server cert>
  <Issuer organization of server cert>
  requested that you identify yourself with a personal certificate.


Now this is problematic, because it would claim that the server has "identified itself". We don't say that currently.

I focus on the word "identified".

Given the recent hype around EV certificates and Larry, I think we have limited the term "identity" to EV certs.

Therefore I propose a wording that avoids saying the server is identified, and keeps a simpler cert.

Maybe we should simply replace the above with:
  The server at <hostname of site> 
  requests that you identify yourself with a personal certificate.
If we wanted to clarify further we could change
  Choose a certificate to present as identification:
to
  Choose a certificate to present as your identification:


And we could change
  Details of this certificate:
to
  Details of your personal certificate:
Attachment #329101 - Flags: ui-review?(johnath)
Comment on attachment 329101 [details] [diff] [review]
changes based on comments

timeles, btw, when significantly changing strings it is necessary to change the string identifier, too. This ensures that localizers will notice the change.
If we really stopped showing the organization name, it could be seen as a regression. We'd have to offer a "view server cert" button to make up for that regression.
Lately, there have been a number of comments from users in bugs making it 
very clear that, despite the careful wording of this dialog, the presence
of SO MUCH information about the server in the dialog makes the user think
that he is being asked to pick a certificate that identifies the server.

Users seem to actually think they are being asked to pick one cert of many
that identify the server, and are frustrated when they don't find any cert
that names the server in the drop down list of certs from which they can 
choose.  

So, Anything we can do to make it crystal clear that the server is 
requesting the user to authenticate HIMSELF, and is NOT asking the user to
choose a cert that identifies the server, should help.  

I think it is not necessary to present so much info about the server's cert
to the user, because this dialog is NOT about identifying the server.  
Presumably, the server identification is already done by the time the user 
sees this dialog.  But if people oppose reducing it, then I'd suggest 
reordering that dialog to say something like this:

> The server identified as:
>   Host:   (hostname)
>   Organization: (orgname)

> has requested that you identify yourself to it with a certificate that 
> has your name in it.  Please choose a certificate that identifies you
> from the list below, or click cancel if you do not wish to identify 
> yourself to the server with a certificate.
For an example of this confusion, see comments 28-37 of bug 313012.
(Assignee)

Comment 20

10 years ago
+<!ENTITY clientAuthAsk.title "Certificate Request">
+<!ENTITY clientAuthAsk.message1 "Site requesting you to authenticate:">
+<!ENTITY clientAuthAsk.message2 "Your certificate:">
+<!ENTITY clientAuthAsk.message3 "Details of your certificate:">

kaie: renaming labels shouldn't be done until you can figure out what you want to say. i'm aware of the need to flag things. but the goal is to give people something to play w/ first.
Whiteboard: [psm-auth]
Component: Security: UI → Security: PSM
Whiteboard: [psm-auth] → [psm-auth][psm-clientauth]
You need to log in before you can comment on or make changes to this bug.