Am Freitag, den 07.09.2007, 10:04 -0400 schrieb Arshad Noor: > Alex, > > Do you presume that the websites in the domains that you intend > to track users will install the self-signed CA certificate that > issued the client-certificate to the unsuspecting user? If not, > how will the browser know which client certificate to send to > the website during client-auth? And what happens to the users
In TLS, the Server can for example request that the Cert was issued by a certain CA, to select from multiple installed certificates. > who do not have have client-certs issued by this CA when they > attempt to connect to the site? From RFC4346: If no suitable certificate is available, the client SHOULD send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero. If client authentication is required by the server for the handshake to continue, it may respond with a fatal handshake failure alert. So the connection can still be continued.
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
