Re: [Epiphany] Security/Certificates design



On Fri, 2003-10-17 at 11:42, Robert Marcano wrote:
> On Fri, 2003-10-17 at 17:11, Marco Pesenti Gritti wrote:
> > So I did a bit of work on the long time ago proposed document on
> > security. You can see it at:
> > http://www.gnome.org/~marco/security.html
> > 
> > As showed by spark feedback on it, there is still a lot of work to do.
> > http://www.gnome.org/~marco/security-spark.html
> > 
> > Though I'd be happy to hear opinions, analysis on the possible problems
> > etc...
> > 
> > Unfortunately I'm being very busy these days with a lot of other things,
> > maybe someone want to take it in his current draft status and work on
> > the problems. Note that there is still no mention of the exact
> > interface. It's just an analysis of the conceptual model and of the user
> > tasks. I think we want to be more mature on these before starting to
> > talk of an user interface implementation ...
> > 
> > Marco
> 
> Nice work. I have a few suggestions
> 
> 1)User Certificate = rename it Personal Certificates

Not sure what's better My/Personal.

> 2)Exchange information with a secure connection. ... We have two forms
> of feedback right now: icon in the statusbar (not very visible)
> 
>   why not show a different spinner in order to show that the user is
> navigating with a secure connection?

Yeha that make sense to me.

> 3) Import/Export certificates: I'm not sure how many people will use it
> and it can create interesting ui issues. But, it's usually possible to
> reinstall it right ?
> 
>   It is needed for example, Bank website install the certificate a my
> work computer, but i need to export and import it to my home machine.
> The bank can not give me the certificate again, so if i request it again
> it will reissue a new certificate, so my work certificate will now be
> marked as invalid

Yeah I suspected that, thanks for confirming.

> 4) Edit the list of autorithies
> 
>   Many banks issue certificates, but not use a known certificate
> authority, they act as the certificate authorite. So when i import my
> bank certificate using a PKCS12 file, it installs the bank certificate
> as a CA certificate. Installation and Removal of this is needed on
> intranet sites too that has internal certificate authorities

Yeah. My main concern here is to expose CA Root Certificate thing.
Both terminology and logic (hierarchy of certificates) are very hard to
understand.

> 5) I will create a few certificates Personal / Site / CA (using openssl)
> in order to you guys practice with them, give me a few days ;-)

Cool :)

Marco




[Date Prev][Date Next]   [Thread Prev][Thread Next]   [Thread Index] [Date Index] [Author Index]