Joe Orton wrote, On 2009-03-17 08:55: > It seems like a poor trade-off to require a larger memory footprint of > all the SSL servers in the world,
I hear that disk space is pretty cheap these days. 1TB == USD 85 > rather than improve Firefox to be a bit smarter about caching/ > allowing-to-be-cached the association between a client cert and a given > URL prefix or whatever. So that it can silently waste VAST amounts of CPU and bandwidth resources? If a server has so many users that it can't afford to spend the space to save sessions, then it also probably can't afford the CPU cost of all those unnecessary full handshakes. There are certain wide-spread freebie server products out there that come up "out of the box" (so to speak) configured by default to request client authentication certificates, even though: a) they have their session cache disabled, or set very short, so that they effectively request client auth AGAIN on every connection, and b) they have NO CA CERTIFICATES marked as trusted to issue client certs, so they violate the SSL and TLS 1.0 protocols by sending out empty lists of issuer names for CA certs, which give clients no information with which to determine which (if any) of that client's certs should be sent, which defeats automatic client cert selection, and c) If any client ever *DOES* send a cert for client authentication, the server abruptly drops the connection (because that user's cert is not known to the server to be an authenticated user credential belonging to an authorized user) instead of continuing the SSL/TLS handshake to completion and then falling back to to name/password auth. Those servers SUCK. They are a scourge upon the Internet. They are giving SSL client auth a black eye. They make users think that this is how SSL was designed to work (which is completely false). And what do users do about it? They bitch at the browser vendors. They are typically unaware that all these prompts for client auth are the server's fault. They see UI they don't like, and they assume the browser is acting in a buggy/faulty way. My advice to those who whine about incessant client auth prompts: If you don't like the client auth behavior you experience with your server's software, then find the makers of that sucky server software and bitch at them! </soapbox> -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
