Anders Rundgren wrote: >>> it matches poorly with web sessions including logout > >> Why should it match application sessions? Because the web application >> developers are too dumb to get the session handling right for >> themselves? Because the "logout" does not behave like they are >> used with passwords? > > You essentially gave the answer yourself. In order to deploy > TLS-client-cert-auth you must hire very special people.
Like with any other technology you'd like to deploy you have to know what you're doing. Everyone who is not able to even hire such people should stay out of that business. > That MSIE has a button "Clear SSL State" is a pretty good indication > that securing a static tunnel and browsing the web are two quite > distinct applications. Yes, they are distinct. But I'm not sure why MS introduced this button in IE. Do you know this? IMO it has nothing to do with web application's session handling. > That Mozilla apparently works completely different (?) is not an > argument for TLS-client-cert-auth, it is an argument *against* it. I don't understand. >>> - it is poorly implemented in many browsers with respect to path building > >> Can you explain this? > > At least in FF 2.x, a PIV user had to *install* the entire cert-path > in the browser trust store in order to authenticate since stuff like > AIA ca issuers isn't supported in spite of being mandated in PIV. > Hopefully this was fixed in FF 3.0 but of course this total misalignment > has given TLS-client-cert-auth a *well-deserved* bad reputation. I consider this to be a matter of appropriate client enrollment. I guess many CAs are doing it wrong. >>> - it offers very limited filtering capability > >> What do you want to filter? At which point? > > Well, I think that Nelson can testify that there has been a rather > long-lasting "bug" in FF regarding what certificate to show the > user in the TLS selection GUI based on [for example] key usage. > I don't consider this a bug in FF, but a deficiency in TLS- > client-cert-auth which didn't take this issue in consideration. > The "fat-app" alternatives usually offer much better selection > facilities like in: http://tinyurl.com/6ot2vz I fail to see how this could be improved by new shiny XML-based protocol but cannot be improved with the existing protocols (like TLS). Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
