Usability problems

This section is brainstorming - every feel free to add any and everything that comes to mind. Feel free to comment on on the relative severity of the issues (e.g., #1, #2, medium, low impact problem).

I suspect most of these will be anecdotal, but If we have citable sources, include those.

• SecurityUsabilityWriteUp

What are the major usability problems at this time from the user's point of view?

• Obtaining X.509 credentials
  • Depends a lot on the group of users. My students at UCSD found the process straightforward. - Igor
  • Do we include the time it takes to get the cert as a separate issue? - Igor
• Managing X.509 credentials - forgetting passwords
• Managing VOMS attributes
  • Use the right attributes for a particular activity
  • Beware not to overwrite a proxy with different attributes that is still being used
  • Beware /tmp is not shared across interactive cluster nodes (e.g. lxplus.cern.ch)
  • ATLAS: DN (i.e. a plain grid proxy) should be sufficient to read ATLAS data
    • Would avoid the need to install the VOMS client + deps on a laptop
• Lack of integration with web site authentication
• Lack of support of service certificates
  • Von: I need elaboration on this one, please clarify.
• Lack of internationalization
  • the presence of non-ASCII characters in DNs can cause problems
• more...

What are the major usability problems at this time from the administrator's point of view?

• Revocation, managing CRLs
  • (Jakob) regarding "Improved revocation" in the write-up: as far as I know, CRLs are updated more often than the expiry period. For instance, files are fetched every day, but CRLs expire only weekly. Perhaps it makes sense to print the a warning not when it's too late and the certificate expired, but already when it's clear that the update was not working (e.g. after 3 days).
• Managing authorization policies
• Expiring host/service certificates
• Difficulty debugging problems
• Different services treat proxies differently
  • Libraries
    • Multiple incompatible implementations
  • Mapping
    • VOMS FQANs vs. DN
  • Logging
    • Different formats and contents
  • Banning
    • Not possible on certain services
    • Different methods on different services
      • using GUMS/Argus/... helps
  • Testing/debugging/forensics tools
    • Available for some scenarios on some services
• more...

Others not included in the above?

• Infrastructure problem - using an authentication framework (X.509) for authorisation purposes (proxies)
• Overhead - X509 handling is expensive and cannot always be mitigated by using bulk methods
  • Might X509 be used to obtain some sort of session key that is much cheaper to use instead?

Usability Victories

What are we doing right from a usability perspective?

• Single (at least least infrequent) sign-on - one authentication working many places over a reasonable period of time.
  • Is this related to (i.e. antonym) to the "lack of integration with web" problem described above? - Igor

Top Usability Problems and Victories

Here we discuss and see if we can agree on the top 3 or 5 usability problems and victories.

Try to complete this by January 20th.

• Problem 1
• Problem 2
• Problem 3

• Victory 1
• Victory 2
• Victory 3

Consider some possible solutions.

Brainstorm on possible solutions to the above usability problems.

In which cases is it a Usability vs Security issue or can Security be improved with improved Usability?

Final recommendations

-- VonWelch - 05-Dec-2011