Open
Bug 91497
Opened 23 years ago
Updated 2 years ago
Rephrase SSL Client Certificate selection dialog
Categories
(Core :: Security: PSM, enhancement, P3)
Tracking
()
NEW
People
(Reporter: thomask, Unassigned)
References
(Blocks 1 open bug)
Details
(Whiteboard: [psm-auth][psm-clientauth])
Attachments
(2 files)
12.61 KB,
image/png
|
Details | |
1.25 KB,
patch
|
KaiE
:
review-
|
Details | Diff | Splinter Review |
I have 2 certificates that can be used to authenticate to CMS's agent interface. I disabled the "Select Automatically" option, and now I am seeing a "User Identification Request" window when authenticating to CMS. The first section says: This site has requested that you identify yourself with a security certificate: pc614451.red.iplanet.com Orgnaization: "200107301xss" Issued Under: "200108301xss" The text is not clear that it is showing the certificate of the site. We may want to change it to: This site with the following identification ... ... requested that you identifiy with a security certificate: ... [Then the listbox of my certificates]
Updated•23 years ago
|
Status: UNCONFIRMED → NEW
Ever confirmed: true
Priority: -- → P3
Target Milestone: --- → Future
Comment 1•23 years ago
|
||
cc'ing sean for wording changes. I know he prefers "certificate" instead of "security certificate".
Updated•23 years ago
|
QA Contact: ckritzer → junruh
Updated•22 years ago
|
Blocks: clientauth
Comment 5•20 years ago
|
||
Mass change "Future" target milestone to "--" on bugs that now are assigned to nobody. Those targets reflected the prioritization of past PSM management. Many of these should be marked invalid or wontfix, I think.
Target Milestone: Future → ---
Updated•17 years ago
|
QA Contact: junruh → ui
87 <!ENTITY clientAuthAsk.title "User Identification Request"> => "Please identify yourself" 88 <!ENTITY clientAuthAsk.message1 "This site has requested that you identify yourself with a certificate:"> => "Site requesting your identity:" 89 <!ENTITY clientAuthAsk.message2 "Choose a certificate to present as identification:"> => "Identity to present to server:" 90 <!ENTITY clientAuthAsk.message3 "Details of selected certificate:"> => "Details of this identity:"
Summary: need rewording for client authentication → Rephrase SSL Client Certificate challenge
Version: 1.0 Branch → Trunk
Comment 8•16 years ago
|
||
I'd also like to see the word "authentication" somewhere, like "For authentication purpose please identify yourself" or something along...
Comment 9•16 years ago
|
||
A certificate is not an identity. It bears an identity. It is a binding of an identity to a public key. There may be multiple eligible certificates bearing the same identity. In that situation, the user is not merely choosing an identity. He is choosing a certificate. So, it is appropriate to ask the user to choose a certificate.
Updated•16 years ago
|
Summary: Rephrase SSL Client Certificate challenge → Rephrase SSL Client Certificate selection dialog
Comment 10•16 years ago
|
||
I actually don't see a problem with any of the existing strings. Maybe the dialog title could be better, though I'd just drop the 'user' in that case. What are we trying to solve here? shorter?
Comment 11•16 years ago
|
||
yes. the text is too long/wide and because of its arrangement, it confuses the reporter (and me).
Comment 12•16 years ago
|
||
Comment on attachment 329101 [details] [diff] [review] changes based on comments Most people don't understand the difference between client authentication and server authentication. The existing dialog is carefully worded to make it clear to such people that we're talking about the user, selecting a certificate that identifies the user, to present the user's identity to the server. This is all to carefully distinguish this, in the user's mind, from the far more common certs, which identify the server to the user. The proposed changes seem to eliminate all the wording that presents that careful distinction. I believe most users would be far more confused by the newly proposed text than by the old, and many would assume they are being asked to pick a server certificate, the only kind of certificate they understand. Ultimately, this is a UI change and requires approval of the UI deities, rather than being a mere code change.
Attachment #329101 -
Flags: ui-review?(johnath)
Comment 13•16 years ago
|
||
Comment on attachment 329101 [details] [diff] [review] changes based on comments I agree with Nelson, I don't like this simplification.
Attachment #329101 -
Flags: review?(kaie) → review-
Comment 14•16 years ago
|
||
I think the original comment requested a clarification.
It complained about the very first sentence in that dialog (see attachment 328903 [details]).
The dialog currently says
This site has requested that you identify yourself with a certificate
<hostname of site>
<organization as listed in server cert>
<Issuer organization of server cert>
The proposal was to change this to:
This site with the following identification
<hostname of site>
<organization as listed in server cert>
<Issuer organization of server cert>
requested that you identify with a security certificate:
I would reword the original proposal and propose:
The server at <hostname of site>
which uses a certificate issued to
<organization as listed in server cert>
<Issuer organization of server cert>
requested that you identify yourself with a personal certificate.
Now this is problematic, because it would claim that the server has "identified itself". We don't say that currently.
I focus on the word "identified".
Given the recent hype around EV certificates and Larry, I think we have limited the term "identity" to EV certs.
Therefore I propose a wording that avoids saying the server is identified, and keeps a simpler cert.
Maybe we should simply replace the above with:
The server at <hostname of site>
requests that you identify yourself with a personal certificate.
Comment 15•16 years ago
|
||
If we wanted to clarify further we could change Choose a certificate to present as identification: to Choose a certificate to present as your identification: And we could change Details of this certificate: to Details of your personal certificate:
Updated•16 years ago
|
Attachment #329101 -
Flags: ui-review?(johnath)
Comment 16•16 years ago
|
||
Comment on attachment 329101 [details] [diff] [review] changes based on comments timeles, btw, when significantly changing strings it is necessary to change the string identifier, too. This ensures that localizers will notice the change.
Comment 17•16 years ago
|
||
If we really stopped showing the organization name, it could be seen as a regression. We'd have to offer a "view server cert" button to make up for that regression.
Comment 18•16 years ago
|
||
Lately, there have been a number of comments from users in bugs making it very clear that, despite the careful wording of this dialog, the presence of SO MUCH information about the server in the dialog makes the user think that he is being asked to pick a certificate that identifies the server. Users seem to actually think they are being asked to pick one cert of many that identify the server, and are frustrated when they don't find any cert that names the server in the drop down list of certs from which they can choose. So, Anything we can do to make it crystal clear that the server is requesting the user to authenticate HIMSELF, and is NOT asking the user to choose a cert that identifies the server, should help. I think it is not necessary to present so much info about the server's cert to the user, because this dialog is NOT about identifying the server. Presumably, the server identification is already done by the time the user sees this dialog. But if people oppose reducing it, then I'd suggest reordering that dialog to say something like this: > The server identified as: > Host: (hostname) > Organization: (orgname) > has requested that you identify yourself to it with a certificate that > has your name in it. Please choose a certificate that identifies you > from the list below, or click cancel if you do not wish to identify > yourself to the server with a certificate.
Comment 19•16 years ago
|
||
For an example of this confusion, see comments 28-37 of bug 313012.
Comment 20•16 years ago
|
||
+<!ENTITY clientAuthAsk.title "Certificate Request"> +<!ENTITY clientAuthAsk.message1 "Site requesting you to authenticate:"> +<!ENTITY clientAuthAsk.message2 "Your certificate:"> +<!ENTITY clientAuthAsk.message3 "Details of your certificate:"> kaie: renaming labels shouldn't be done until you can figure out what you want to say. i'm aware of the need to flag things. but the goal is to give people something to play w/ first.
Updated•14 years ago
|
Whiteboard: [psm-auth]
Component: Security: UI → Security: PSM
Whiteboard: [psm-auth] → [psm-auth][psm-clientauth]
Comment 21•2 years ago
|
||
The bug assignee is inactive on Bugzilla, so the assignee is being reset.
Assignee: timeless → nobody
Status: ASSIGNED → NEW
Updated•2 years ago
|
Severity: normal → S3
You need to log in
before you can comment on or make changes to this bug.
Description
•