>> Security-wise there are no differences, assuming appropriate methods are >> used.
>Well there is a form drop down to create client certs, why can't there >be something similar for choosing client certs to auth inside the form >(and some kind of hint method to tell if there is any suitable available)? I think you misunderstood my statement or that I was very unclear. I was referring to SSL-client-auth versus the methods used in [the growing number of] "competing" authentication schemes that works on top of an SSL-server(only)-authenticated channel. Since SSL gives you a two-way encrypted channel, you indeed get protection from MITM attacks performed at the network level. If not every proxy server, router, switch, or hub would be able to read sensitive session data. There is though a general weakness in schemes that do not terminate the client-side in the SSL channel and that is the specific form of MITM attack known as real-time-phishing. But this deficiency is eliminated by "targeting" the client-side operation for the site and certificate in the server-end. By doing that the receiver (server), can immediately detect if the operation has gone through a phishing proxy or not. It is an extra test to do but rather simple. For client-cert selection it would be nice if it worked identical for auth and signature operations and this is in fact what the majority of the proprietary PKI add-ons accomplish today. I doubt that this will be rectified until/if signature and auth schemes get a better integration in browsers. But that is still only the tip of the ice-berg. On-line provisioning is also a candidate for a radical improvement. One of the reasons why many people put faith in Microsoft's CardSpace (formerly InfoCards) is that the entire scheme has been built from scratch, rather than readying on dated PKIX standards in proprietary dressings (includes FF and IE). CardSpace builds on user-centric methods intended to work for consumers that do not know what a certificate is and probably never well. CardSpace is another [well-deserved] blow at PKI. Anders _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
