Open Bug 91497 Opened 23 years ago Updated 2 years ago

Rephrase SSL Client Certificate selection dialog

Categories

(Core :: Security: PSM, enhancement, P3)

Product:
Core
Component:
Security: PSM
Platform:
x86
Windows 2000
Type:
enhancement

Tracking

()

People

(Reporter: thomask, Unassigned)

References

(Blocks 1 open bug)

Details

(Whiteboard: [psm-auth][psm-clientauth])

Attachments

(2 files)

picture
12.61 KB, image/png
Details
changes based on comments
1.25 KB, patch
KaiE
: review-
Details | Diff | Splinter Review 
I have 2 certificates that can be used to authenticate to CMS's agent interface. 
I disabled the "Select Automatically" option, and now I am seeing a "User 
Identification Request" window when authenticating to CMS.

The first section says:

This site has requested that you identify yourself with a security certificate:

pc614451.red.iplanet.com
Orgnaization: "200107301xss"
Issued Under: "200108301xss"

The text is not clear that it is showing the certificate of the site. We may 
want to change it to:

This site with the following identification

 ...
 ...

requested that you identifiy with a security certificate:

 ... [Then the listbox of my certificates]
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Target Milestone: --- → Future
cc'ing sean for wording changes. I know he prefers "certificate" instead 
of "security certificate".
Mass assigning QA to ckritzer.
QA Contact: junruh → ckritzer
QA Contact: ckritzer → junruh
Enhancement.
Severity: normal → enhancement
Blocks: clientauth
Mass reassign ssaux bugs to nobody
Assignee: ssaux → nobody
Mass change "Future" target milestone to "--" on bugs that now are assigned to
nobody.  Those targets reflected the prioritization of past PSM management.
Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
Product: PSM → Core
QA Contact: junruh → ui
Version: psm2.0 → 1.0 Branch
Attached image picture 

    
    

    
  
87 <!ENTITY clientAuthAsk.title "User Identification Request">

=> "Please identify yourself"

88 <!ENTITY clientAuthAsk.message1 "This site has requested that you identify yourself with a certificate:">

=> "Site requesting your identity:"

89 <!ENTITY clientAuthAsk.message2 "Choose a certificate to present as identification:">

=> "Identity to present to server:"

90 <!ENTITY clientAuthAsk.message3 "Details of selected certificate:">

=> "Details of this identity:"
Summary: need rewording for client authentication → Rephrase SSL Client Certificate challenge
Version: 1.0 Branch → Trunk

    
    

    
  
I'd also like to see the word "authentication" somewhere, like "For authentication purpose please identify yourself" or something along...

    
    

    
  
A certificate is not an identity.  It bears an identity.  
It is a binding of an identity to a public key. 
There may be multiple eligible certificates bearing the same identity.
In that situation, the user is not merely choosing an identity.
He is choosing a certificate.  So, it is appropriate to ask the user to 
choose a certificate.
Summary: Rephrase SSL Client Certificate challenge → Rephrase SSL Client Certificate selection dialog

    
    

    
  
I actually don't see a problem with any of the existing strings. Maybe the dialog title could be better, though I'd just drop the 'user' in that case.

What are we trying to solve here? shorter?

    
    

    
  


  
yes. the text is too long/wide and because of its arrangement, it confuses the reporter (and me).
Assignee: nobody → timeless
Status: NEW → ASSIGNED

        Attachment #329101 -
        Flags: review?(kaie)

    
    

    
  
Comment on attachment 329101 [details] [diff] [review]
changes based on comments

Most people don't understand the difference between client authentication
and server authentication.  The existing dialog is carefully worded to make
it clear to such people that we're talking about the user, selecting a 
certificate that identifies the user, to present the user's identity to 
the server.  This is all to carefully distinguish this, in the user's mind,
from the far more common certs, which identify the server to the user.

The proposed changes seem to eliminate all the wording that presents that
careful distinction.  I believe most users would be far more confused by 
the newly proposed text than by the old, and many would assume they are 
being asked to pick a server certificate, the only kind of certificate
they understand.

Ultimately, this is a UI change and requires approval of the UI deities,
rather than being a mere code change.

        Attachment #329101 -
        Flags: ui-review?(johnath)

    
    

    
  
Comment on attachment 329101 [details] [diff] [review]
changes based on comments

I agree with Nelson, I don't like this simplification.

        Attachment #329101 -
        Flags: review?(kaie) → review-

    
    

    
  
I think the original comment requested a clarification.

It complained about the very first sentence in that dialog (see attachment 328903 [details]).

The dialog currently says
  This site has requested that you identify yourself with a certificate
  <hostname of site>
  <organization as listed in server cert>
  <Issuer organization of server cert>


The proposal was to change this to:
  This site with the following identification
  <hostname of site>
  <organization as listed in server cert>
  <Issuer organization of server cert>
  requested that you identify with a security certificate:


I would reword the original proposal and propose:
  The server at <hostname of site> 
  which uses a certificate issued to
  <organization as listed in server cert>
  <Issuer organization of server cert>
  requested that you identify yourself with a personal certificate.


Now this is problematic, because it would claim that the server has "identified itself". We don't say that currently.

I focus on the word "identified".

Given the recent hype around EV certificates and Larry, I think we have limited the term "identity" to EV certs.

Therefore I propose a wording that avoids saying the server is identified, and keeps a simpler cert.

Maybe we should simply replace the above with:
  The server at <hostname of site> 
  requests that you identify yourself with a personal certificate.

    
    

    
  
If we wanted to clarify further we could change
  Choose a certificate to present as identification:
to
  Choose a certificate to present as your identification:


And we could change
  Details of this certificate:
to
  Details of your personal certificate:

    
  

        Attachment #329101 -
        Flags: ui-review?(johnath)

    
    

    
  
Comment on attachment 329101 [details] [diff] [review]
changes based on comments

timeles, btw, when significantly changing strings it is necessary to change the string identifier, too. This ensures that localizers will notice the change.

    
    

    
  
If we really stopped showing the organization name, it could be seen as a regression. We'd have to offer a "view server cert" button to make up for that regression.

    
    

    
  
Lately, there have been a number of comments from users in bugs making it 
very clear that, despite the careful wording of this dialog, the presence
of SO MUCH information about the server in the dialog makes the user think
that he is being asked to pick a certificate that identifies the server.

Users seem to actually think they are being asked to pick one cert of many
that identify the server, and are frustrated when they don't find any cert
that names the server in the drop down list of certs from which they can 
choose.  

So, Anything we can do to make it crystal clear that the server is 
requesting the user to authenticate HIMSELF, and is NOT asking the user to
choose a cert that identifies the server, should help.  

I think it is not necessary to present so much info about the server's cert
to the user, because this dialog is NOT about identifying the server.  
Presumably, the server identification is already done by the time the user 
sees this dialog.  But if people oppose reducing it, then I'd suggest 
reordering that dialog to say something like this:

> The server identified as:
>   Host:   (hostname)
>   Organization: (orgname)

> has requested that you identify yourself to it with a certificate that 
> has your name in it.  Please choose a certificate that identifies you
> from the list below, or click cancel if you do not wish to identify 
> yourself to the server with a certificate.

    
    

    
  
For an example of this confusion, see comments 28-37 of bug 313012.

    
    

    
  
+<!ENTITY clientAuthAsk.title "Certificate Request">
+<!ENTITY clientAuthAsk.message1 "Site requesting you to authenticate:">
+<!ENTITY clientAuthAsk.message2 "Your certificate:">
+<!ENTITY clientAuthAsk.message3 "Details of your certificate:">

kaie: renaming labels shouldn't be done until you can figure out what you want to say. i'm aware of the need to flag things. but the goal is to give people something to play w/ first.

    
  
Whiteboard: [psm-auth]
Component: Security: UI → Security: PSM
Whiteboard: [psm-auth] → [psm-auth][psm-clientauth]

    
    

    
  
The bug assignee is inactive on Bugzilla, so the assignee is being reset.


Assignee: timeless → nobody
Status: ASSIGNED → NEW

    
  
Severity: normal → S3

          You need to log in
          before you can comment on or make changes to this bug.
        






  

    
  







  

    

      
Attachment

      

      
      
      
      
    

    

      

        

          

            
General

            

              Creator: 



            

            
Created: 

            
Updated: 

            
Size: