Usability issues with S/MIME plugin

Ingo Klöcker kloecker@kde.org
Sat Jun 7 14:41:02 2003


--Boundary-02=_eZb4+OzKRq4cO6o
Content-Type: text/plain;
  charset="iso-8859-1"
Content-Transfer-Encoding: quoted-printable
Content-Disposition: inline

On Friday 06 June 2003 14:04, Werner Koch wrote:
> On Fri, 6 Jun 2003 13:02:11 +0200, Bernhard Reiter said:
> > because the you have to tell the user
> > who is facing the problem to make this work
> > how to do this. :)
>
> And offer him a little chance to think about what is going to do.
> Usually you have to do further investigations to figure out whether
> the fingerprint of the root CA is really the certificate you
> ultimately trust.  Immediatley checking the website is not a good
> idea because it might have been de-faced already, so for due
> diligance one should wait a week or look at independent sources of
> the root CA's fingerprint - nothing you can do between 2 clicks.

That's why I'd like to have an [Ask again later] button. When I was=20
shown the first dialog ("Please verify...") I thought "How should I=20
verify this fingerprint?". Then I thought "What the heck? It's anyway=20
only a test CA certificate." (I was looking at one of Bernhard Reiter's=20
messages). So I simply clicked [Yes].

> But well, that is theory and almost all users won't care about this.
> So the double check as it is now implemented should be good enough.

Almost all users will blindly click [Correct] because they don't have=20
the slightest idea how to check the fingerprint. We already have this=20
situation with all those SSL protected web sites where the user has to=20
tell his web browser that he trusts the CA that issued the=20
SSL-certificate. Whenever I'm faced with this problem I tell Konqueror=20
to trust this certificate for this session only. But most people will=20
probably tell their browser to trust it forever.

My pessimistic (or realistic?) conclusion is that the two dialogs are=20
completely superfluous because the overwhelming majority will anyway=20
blindly click [Yes]. It would be better if the mail client would show a=20
warning like "This message is signed but the authenticity of the signer=20
can't be verified because the key of the issuing CA hasn't been=20
verified. [Click here for more details...]". In fact KMail does already=20
show a similar message for messages which are signed with untrusted=20
OpenPGP keys.

The =C4gypten team also wrote a certificate manager (for KDE but it=20
shouldn't be difficult to write something similar for Qt or GTK). So it=20
wouldn't be difficult for a user to change the status of CA certificate=20
whenever he feels like doing it. Hmm, I just tried this. Apparently=20
it's currently not possible to change the status of a certificate. This=20
should be changed.

Regards,
Ingo


--Boundary-02=_eZb4+OzKRq4cO6o
Content-Type: application/pgp-signature
Content-Description: signature

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.2 (GNU/Linux)

iD8DBQA+4bZdGnR+RTDgudgRAjOwAJ9u3+1tNILPSaub5o/EMcFYXzsacACgstrH
OrTgKzGfNgNI5CIAwQAtu2I=
=doBr
-----END PGP SIGNATURE-----

--Boundary-02=_eZb4+OzKRq4cO6o--