On Wed, August 21, 2013 1:31 pm, Michael Ströder wrote:
> > Michael,
> > Can you explain why the use of crlutil, as originally discussed, does
> > not
> > meet your needs or use case?
> > You suggest this is a step back for enterprise administration, but
> > surely
> > enterprise admins are capable of configuring things properly using other
> > means.
> > How is this different from the concept of needing to change a registry
> > key
> > on Windows - which an enterprise can do via Group Policy - but not
> > exposing said key through a visible UI? Or, in Linux terms, different
> > from
> > using Puppet/Chef to manage a set of files or, alternatively, using
> > group/world-readable but not writable configuration files?
> > I think it would be helpful to discussion, and to understanding your
> > position, if you could consider the alternatives presented and explain
> > why
> > they are unacceptable, given the design considerations Brian has raised,
> > rather than simply writing them off with "Stupid!" without contributing
> > useful feedback.
> Personally I can deal with crlutil. I'm also familiar with group policies
> But normal users can't do this. It was easy for them to just click on a
> downloading a CRL and set check boxes for letting the software download
> CRL once a day. And at least the downloads happened with my local
I think the empirical evidence and telemetry gathered would likely
disagree with you on this point.
Any security setting that requires 'normal' users (for whatever value of
normal there is) to click through multiple security UI dialogs - AND
understand the implications of what they're changing - is certainly a
failure on the security UI.
Further, given how unlikely this feature is to be used, it would seem that
the 'normal' users who would be instructed to go through such a UI are
likely of a technical competence to be able to use other means.
I think it's a reasonable balance between making sure that UIs remain
simple and clean and provide the user actionable steps and providing the
flexibility of configuration.
> And I can't see why this was dropped. Turning off security features
> some UI designers don't like the dialogue is stupid.
Security features are as much - if not more so - a UX problem as an actual
Brian's points about the technical debt incurred by such features,
compared with the value, don't seem to be addressed by your sentiments
here, other than you simply disagree. Is that a fair statement?
> What really strikes me is the tendency in Brian's postings that even if
> import CRLs with crlutil it's not guaranteed that this will be supported
> the not so far future. It seems to me everybody is forced to use OCSP (if
> CA provides it and the URL is in the certificate). But personally I regard
> OCSP as yet another privacy nightmare.
OCSP with stapling does not have the same privacy implications.
Revocation of intermediates and roots is already something that CRLs do
not scale well to.
CRLs themselves on the public Internet are not something that scale well
either (case in point: certain CA's 40mb CRLs).
Regardless, however, it seems your point of contention in this point is
less with the UI in and of itself, and more about how you view the
relative strengths and weaknesses of CRLs vs OCSP. You would rather prefer
CRLs over OCSP (for privacy reasons), although for the vast majority of
users, it's much more important for them as individuals to favour the
performance of OCSP over the CRLs.
This would be a case where the Firefox developers need to make a choice to
best serve the majority of their users. They could continue to support
both (thus serving both contingents), or they may decide that the costs of
that maintenance exceed the benefits of supporting both. Both are
reasonable engineering decisions, however, and shouldn't be taken as
> The developers simply don't care about security features and simply hide
> configuration options. More and more...