Arshad Noor wrote:
That's true of Firefox, not true of other browsers. Older versions only sent out certificates if those certificates match a cert on the server's CA list. Newer versions can include other certs (IIRC), but only if you have ask always on, in which case you will get a certificate prompt.See below, Alex.Arshad Noor StrongAuth, Inc. ----- Original Message ----- From: "Alexander Klink" <[EMAIL PROTECTED]> The typical user does not have a client authentication certificate, so after installing one for him, the browser will send that out to anyone who is asking. My understanding of the TLS protocol is that the browser only sends the certificates signed by CAs that the server trusts; are you saying that the protocol allows for asking ANY certificate from the browser cert-store, regardless of who signed it?
Of course this doesn't change what Alexander describes. Servers participating in this data collection scheme are cooperating servers. They would know the CA that issued the particular client certificate and include it in it's Request/Not require client auth message.
The server send 'request/not require' certs. Most modern client auth servers use this anyway. It allows you to tell the user why he didn't really get connected instead of just having a dropped connection. The SSL connection completes, and the server sees that no client cert was used, so it can restrict access to what it shows (in the normal case).And what happens to the users who do not have have client-certs issued by this CA when they attempt to connect to the site?Nothing, you can keep it configured as optional on the webserver. If so, how does the website track the client? Wouldn't client-auth need to be on for the tracking to work?
It's also essential for web sites that use smart card tokens. You can tell the user 'please insert your token'. With FF 1.5 and later you can use smart card insertion/removal events to cause the page to refresh and have automatic login/logout based on your token using this feature.
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
