client certificates unusable?

Tue, 17 Mar 2009 04:56:21 -0700 

Hi all,
I'd like to ask a couple of questions to those people closer to the development effort. I spent some hours trying to get a couple of users up and going on the weekend using client certs and ff/tb combinations. On the Firefox side, there were problems because of the popup madness where every click resulted in request(s) to confirm the certificate [1]. 


Doing some research on bugzilla, it transpires that the default is to 
always ask before using a client certificate, because otherwise we have 
a privacy issue. <https://bugzilla.mozilla.org/show_bug.cgi?id=295922> 
Now, this is a bit of a killer issue, because the certs probably have 
info in them, and there are obvious harvesting possibilities [2] [3].



However, the fix is to turn on the "ask always" default, which makes 
client certs unusable [4] because every click there is a request for 
confirmation, and sometimes there are several clicks.



So we have seem to have a choice:  client certificates are unusable 
because they always ask, or they are unusable because they always leak 
private info.   There is no middle ground.


Have I understood it correctly so far?


There is some discussion that there should be a "whitelist" management 
along the lines of the tuple {site, cert, status}.  And some juicy UI to 
manage that.



So the next questions are:  is whitelisting decided, and how far 
advanced are we on that?  (Or, is there some alternative?)



Finally, and this is the really difficult question:  what are the policy 
implications here?


iang




[1] On the Tb side there were problems in moving a cert out of Ff to Tb. 
 Ff backup mechanism did not work for "unknown reason".



[2] Laws in Europe might also impact this in various and complicated 
ways, c.f. the Danish context in that bug.



[3] Also, the current UI provides no advice of the problem, so the user 
is completely unaware of the implications here.  I personally have 
turned on the feature without thought, and have been advising users 
"yes, turn it on, until Mozilla fixes that bug properly..." :-(



[4] There is some discussion about session caching, and it may be true 
that there are server problems to be sorted out.  But as far as I can 
see, most of the sites that I deal with have this issue, so it may 
bounce back to being a client-side issue regardless of what we say.

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to