SSL Cert problem with Outbreak

bscott at ntisys.com bscott at ntisys.com
Thu Feb 12 08:30:12 EST 2004


On Thu, 12 Feb 2004, at 6:53am, colet at code-energy.com wrote:
> I agree that M$ did something right in that they gave the user the
> notification that the certificate chain didn't end at a known good cert
> authority.  However, it seems to me like they should give the user the
> ability to accept the certificate anyway.
> 
> Are you saying that M$ was right in *not* allowing that?  If so, how come?

  I feel that it should require something more then a single mouse-click to
permanently add a PKI certificate to a trust list, at least by default.  
Granting permanent trust is something that should only occur after careful
consideration.  It should be a "big deal", because it is.  So a more
explicit "import process" is what I prefer.

  This is a subtle UI design technique -- make more significant things
require more user action then less significant things.  Microsoft usually
gets this wrong, by popping up a single "Are you sure?" dialog box for every
possible operation, whether it is "Change font" or "Erase entire hard
drive".

  Of course, burying that option under the "Content" tab of a web browser's
control panel is the height of bad UI design, and the fact that none of this
stuff is documented *anywhere* is real bad news, too.  Plus I'm not really
sure I trust Microsoft's X.509/SSL implementation in the first place, given
their track record in this area.

-- 
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do  |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind.              |




More information about the gnhlug-discuss mailing list