Eddy Nigg (StartCom Ltd.) wrote:
Thanks for catching this, it looks like Nelson has updated that and other wording issues.A few additional comments to make that clearer:Eddy Nigg (StartCom Ltd.) wrote:I noticed, that in the first section under "IE Current Usage", it says that IE will _always_ use that certificate (or lack of certificate) for that site. Only in the second part this is corrected with "IE will always use that certificate to authenticate, until the user _closes_ IE or hits the 'Clear SSL Cache' button. But again in the last section it says "Find all the certificates, present them to the user, remember the user's selection _forever_" which isn't correct.See the underlined content. Once it says "always", then until the user "closes" IE and then again "forever". In short IE will prompt for the certificate again after one closes IE.
This is a side effect of the Mozilla/Firefox cert selection criteria. Only valid certs that chain to a CA that is trusted by the Server (as indicated by the Client auth CA list) is included. One of the changes in my suggestions would be to include certs don't fit our criteria of valid on the Ask Every Time list, but mark them as 'not preferred' because the couldn't be validated.However this page leads me to something else actually. When a browser doesn't have the complete chain installed in the browser, client auth fails - and this even if the server presents the complete chain as expected to the browser. Additionally, if the chain is missing or no client certificate is installed in the browser, some error like -12777 pops up (Don't remember the correct number right now). This of course is less then helpful for the ones in the unknown....The section above is about Mozilla/Firefox, not about IE. This wasn't very clear in my post.
I seem to remember there being some bug about this and some of these sematics got changed (or changes were proposed anyway).
BTW the server kicked out the error because it had Request/Require client auth set.
--Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org>Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390
smime.p7s
Description: S/MIME Cryptographic Signature
_______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
