470751 – Process of adding digital certificates could be improved

Bug 470751 - Process of adding digital certificates could be improved

Summary: Process of adding digital certificates could be improved

Status:	REPORTED

Alias:	None

Product:	okular
Classification:	Applications
Component:	PDF backend (show other bugs)
Version:	unspecified
Platform:	Other Linux

Importance:	NOR wishlist
Target Milestone:	---
Assignee:	Okular developers

URL:
Keywords:	usability

Depends on:
Blocks:

Reported:	2023-06-07 15:39 UTC by Nate Graham
Modified:	2023-06-08 15:07 UTC (History)
CC List:	1 user (show)

See Also:
Latest Commit:
Version Fixed In:

Attachments
Add an attachment

Note You need to log in before you can comment on or make changes to this bug.

Description Nate Graham 2023-06-07 15:39:09 UTC

Right now to be able to digitally sign a document, you need to add one or more digital certificates. If your digital certificates are not found in the default location (your Firefox profile), the process of adding them is as follows:

1. Go to Settings menu > Configure backends > PDF
2. Change the value of "Certificate database" from "Default" (which shows the Firefox profile) to "Custom"
3. Click the "choose" button to select the location where your digital certificates live. If you have any certs that don't live there, move them there manually in another app
4. Notice that the "Available certificates" table hasn't gotten updated to show the certificates in that folder and become confused
5. Figure out that you need to click the Apply or Ok button to refresh it
6. After being notified that this change requires Okular to be restarted, restart Okular
7. Go to Settings menu > Configure backends > PDF again and verify that the certificate(s) you expect to be there is/are there

Needless to say, this process is quite taxing on the user and they are probably not likely to figure it out on their own without assistance or being explicitly pointed to excellent documentation.

There are various ways this could be improved, but I think a good one would be to ask the user to choose a certificate at the moment they ask Okular to digitally sign the document. Once they choose it, it would be automatically copied to a new custom certificate folder (which would be created somewhere if needed), nd then Okular would not need to be restarted, and then they would immediately be able to sign with it. In the digital signing dialog, they would be able to add a new certificate from there, to avoid having to go into the Configure Backends window at all, ideally.

Comment 1 Sune Vuorela 2023-06-08 06:21:44 UTC

Some things to also be aware of:

 - The certificate will often be hardware backed (smartcard or usb dongle), so can't really be copied around
 - If it is not hardware based, do *not* copy it around. People using it for real purposes wants to know where their keys are.

The need to restart okular when changing the nss location could probably be fixed inside poppler, and a side effect of fixing that  will probably fix all the crash-on-shutdown bugs related to nss.

I'm working on adding an alternative to using nss for digital signatures (using gpg), and most of the setup bits will kind of be delegated to kleopatra, an app kind of designed for this. 

Also when using gpg, my patches for okular will hide the path selection for nss databases.

Comment 2 Nate Graham 2023-06-08 15:07:52 UTC

Thanks for the clarification. I think it's important to distinguish between:

"technical expert who has Opinions™ on cryptography"
and
"Normal person who just wants to sign a document and isn't interested in any of the technical details required to make it happen"

Okular's signing seems like it's adequate for group 1 right now, but isn't optimal for group 2, and that's what I'm bringing up here. Obviously we don't want to make life harder for group 1, bur I'm a firm believer that good UI design can let these users co-exist using the same app. :)