On 30/1/09 15:07, Denis McCarthy wrote:
One thing we are investigating is the possibility of writing an ActiveX component to access the computer account to pull the certificate information from there for a browser (we'd probably need to glue the ActiveX component together with some sort of Firefox plugin to get this to work in Firefox, but I think it should be do-able)....
Can't you install a client-side cert in each browser, and then use client-side SSL? From inside your server-side application you can then read out the client-side certificate info.
(The only thing here is, because of "design" decisions, it is more or less business-wise impractical to mix client-side certificate SSL with non-client-side SSL.)
Ian, I think you may have misunderstood what I meant by 'transaction' (nothing to be ashamed of, as I can't think of any word with more meanings). When I said 'transaction', I wasn't implying transactional integrity or something like that, I was referring to the process one of our users goes through on our web application to process the financial transaction: i.e., fill in the various fields that need to be filled in on the html page, press submit, and get the confirmation.
Sure, no misunderstanding here. The user is doing a thing called a transaction which includes collecting a bunch of info, entering it, and hitting the GO button.
( The word transaction derives from accounting, not tech. The tech people had to wrestle with this thing and discovered they kept mucking it up, and decided that transactions had to have something called "integrity". ACID and all that ... Actually they needed lots of other things as well, but it kept the tech people happy to think of transactions as their "integrity" things. )
Getting back to your question. You want the server to also collect the browser's machine location ... Presumably you have already looked at all the browser headers and decided that the IP address isn't good enough.
Is there a reason why you want certificates involved? Why can't the machine's website just have a drop-down or cookie or something that says what store it is in?
The application itself is already built and in pilot - we just need to find a balanced security model for a subset of our customers (none of whom are participating in the pilot) that will hit the sweet spot between security and ease of use. We have plenty of security options we could use, but I think if we could access an X.509 certificate from the machine certificate store it would be right on the money for us.
:) iang -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
