SSL Cert problem with Outbreak
bscott at ntisys.com
bscott at ntisys.com
Thu Feb 12 08:30:12 EST 2004
On Thu, 12 Feb 2004, at 6:53am, colet at code-energy.com wrote:
> I agree that M$ did something right in that they gave the user the
> notification that the certificate chain didn't end at a known good cert
> authority. However, it seems to me like they should give the user the
> ability to accept the certificate anyway.
>
> Are you saying that M$ was right in *not* allowing that? If so, how come?
I feel that it should require something more then a single mouse-click to
permanently add a PKI certificate to a trust list, at least by default.
Granting permanent trust is something that should only occur after careful
consideration. It should be a "big deal", because it is. So a more
explicit "import process" is what I prefer.
This is a subtle UI design technique -- make more significant things
require more user action then less significant things. Microsoft usually
gets this wrong, by popping up a single "Are you sure?" dialog box for every
possible operation, whether it is "Change font" or "Erase entire hard
drive".
Of course, burying that option under the "Content" tab of a web browser's
control panel is the height of bad UI design, and the fact that none of this
stuff is documented *anywhere* is real bad news, too. Plus I'm not really
sure I trust Microsoft's X.509/SSL implementation in the first place, given
their track record in this area.
--
Ben Scott <bscott at ntisys.com>
| The opinions expressed in this message are those of the author and do |
| not represent the views or policy of any other person or organization. |
| All information is provided without warranty of any kind. |
More information about the gnhlug-discuss
mailing list