On Wed, Mar 18, 2009 at 3:28 AM, Nelson B Bolyard <nel...@bolyard.me> wrote: > b) they have NO CA CERTIFICATES marked as trusted to issue client certs, > so they violate the SSL and TLS 1.0 protocols by sending out empty lists > of issuer names for CA certs, which give clients no information with which > to determine which (if any) of that client's certs should be sent, which > defeats automatic client cert selection, and
SSL2, SSL3, and TLS1.0 protocols specifically state that the empty list is to be considered the set of all possible certificates. Your statement that they are in violation is incorrect. If you have an issue with this, take it up with IETF. The rest of your points, I will agree with -- except that I will give no quarter on the unusability of the current UI design (which was, let's be honest, designed for people who knew what they were doing to be able to test it -- not for the end user to be able to use it). -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
