[Acme] User Experience criteria
Phillip Hallam-Baker <phill@hallambaker.com> Tue, 03 March 2015 00:23 UTC
Return-Path: <hallam@gmail.com>
X-Original-To: acme@ietfa.amsl.com
Delivered-To: acme@ietfa.amsl.com
Received: from localhost (ietfa.amsl.com [127.0.0.1]) by ietfa.amsl.com (Postfix) with ESMTP id 97CD91A8AEC for <acme@ietfa.amsl.com>; Mon, 2 Mar 2015 16:23:57 -0800 (PST)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.423
X-Spam-Level: *
X-Spam-Status: No, score=1.423 tagged_above=-999 required=5 tests=[BAYES_50=0.8, DKIM_SIGNED=0.1, DKIM_VALID=-0.1, FM_FORGED_GMAIL=0.622, FREEMAIL_FROM=0.001, HTML_MESSAGE=0.001, SPF_PASS=-0.001] autolearn=no
Received: from mail.ietf.org ([4.31.198.44]) by localhost (ietfa.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id 4rSMGCqmbJRI for <acme@ietfa.amsl.com>; Mon, 2 Mar 2015 16:23:56 -0800 (PST)
Received: from mail-la0-x231.google.com (mail-la0-x231.google.com [IPv6:2a00:1450:4010:c03::231]) (using TLSv1.2 with cipher ECDHE-RSA-AES128-GCM-SHA256 (128/128 bits)) (No client certificate requested) by ietfa.amsl.com (Postfix) with ESMTPS id F13701A8AF9 for <acme@ietf.org>; Mon, 2 Mar 2015 16:23:13 -0800 (PST)
Received: by labgd6 with SMTP id gd6so34103608lab.7 for <acme@ietf.org>; Mon, 02 Mar 2015 16:23:12 -0800 (PST)
DKIM-Signature: v=1; a=rsa-sha256; c=relaxed/relaxed; d=gmail.com; s=20120113; h=mime-version:sender:date:message-id:subject:from:to:content-type; bh=d5y2KzX0sCSgPfQ26ZmtDZDTMEOV/2pybTFIPmPOrsE=; b=tTaYbcnTtdE7Phi2C/pis4E3+mGZWU5xFUM2n/TjYTwgaW8pYSrAxf0CcJm1ZCZVwr CfvGm65Y1W9i9NnQbGEu9byrJnTMypH1NuhtwSSsSAaL2LpWHmPYN/if/k5GrlOHh6Yp n+WE6tvGIUdJXfGqGQ+bGOQ5839jH/SRJIMb89w+FcgTJtcogyFcBDG7W98BzUO6/bdu ynatTeemt+pkWChILaqRH5FcWJGAiCFZ3JRHGkDcl5f1ddIpp7dYio7q7pLOQSvd1Gjb zIGvxCfLVKYvzHcES1RwRN0W8Y25BT8BQD5MNGXEQ1b+NwfJ6q4leEXV6EBc9Yz4pKpC HARQ==
MIME-Version: 1.0
X-Received: by 10.112.147.66 with SMTP id ti2mr27076280lbb.124.1425342192180; Mon, 02 Mar 2015 16:23:12 -0800 (PST)
Sender: hallam@gmail.com
Received: by 10.113.3.165 with HTTP; Mon, 2 Mar 2015 16:23:11 -0800 (PST)
Date: Mon, 02 Mar 2015 19:23:11 -0500
X-Google-Sender-Auth: -yW9wOKg5sUwIpT7zosqfn4Pcl4
Message-ID: <CAMm+Lwjje+PL3T0Ba1P0Oi4_KihM7PM1S4UUNsATK6CD8Zs75Q@mail.gmail.com>
From: Phillip Hallam-Baker <phill@hallambaker.com>
To: "acme@ietf.org" <acme@ietf.org>
Content-Type: multipart/alternative; boundary="047d7b3a86900c65b50510575701"
Archived-At: <http://mailarchive.ietf.org/arch/msg/acme/UZxq8n9HnzGFpadOAhIcWreBOPc>
Subject: [Acme] User Experience criteria
X-BeenThere: acme@ietf.org
X-Mailman-Version: 2.1.15
Precedence: list
List-Id: Automated Certificate Management Environment <acme.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/options/acme>, <mailto:acme-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/acme/>
List-Post: <mailto:acme@ietf.org>
List-Help: <mailto:acme-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/acme>, <mailto:acme-request@ietf.org?subject=subscribe>
X-List-Received-Date: Tue, 03 Mar 2015 00:23:57 -0000
One of the important features of LetsEncrypt that we must not lose sight of is the ease of use goal. 99% of the pain involved in PKI today is unnecessary. I timed myself installing S/MIME certs in various email clients and it took between fifteen and thirty minutes. And I know what I am doing (unlike the typical user). Easy to follow instructions invariably turn out not to be for a large number of reasons. Not least the instructions are usually out of date. So while they might be simple they are also WRONG. Lab testing is useful but it can also be a cop out. The behavior of a paid test subject in a fifteen minute test rarely reflects that of a real user's daily use. It is very informative for sales though. I have been working on fixing this for S/MIME and I have written a program that will configure Windows Live Mail to use S/MIME with no user input at all. This is very similar to the planned user experience for Lets Encrypt but it would be good if we could get the objectives down and generalize them. 1) User interaction is only permitted for the purposes of 1a) Obtaining information that only the user can provide 1b) Providing information to the user 2) All information necessary for the user to make a decision will be made available. 3) Adding security should require no additional user effort. The first one is the key. The user should never have needed to do anything more than say what their CA is and provide any necessary validation data.
- [Acme] User Experience criteria Phillip Hallam-Baker