This is a stupid discussion. Authentication schemes in general begin with authenticating the user. How long the authentication should be considered as valid is not something the client-end has anything to do with unless it has gotten some kind of expiration data from the server.
It seems pretty clear that the real culprit is the TLS protocol itself. Fortunately a lot of people are working hard to establish schemes that use the good part of TLS (server-auth) and leave the unwieldy part to a community that won't be able fix it. Anders ----- Original Message ----- From: "Nelson B Bolyard" <nel...@bolyard.me> To: "mozilla's crypto code discussion list" <dev-tech-crypto@lists.mozilla.org> Sent: Friday, March 20, 2009 07:57 Subject: Re: client certificates unusable? Kyle Hamilton wrote, On 2009-03-19 23:07: > My reason for the conservative time suggestions is because that's what > banks tend to use (my bank times me out after 15 minutes of > inactivity, as does my phone company, and my electric company, and > PayPal, and...). But those are *minutes of inactivity*. SSL session lifetimes typically do not take activity (or inactivity) into account. If you set a 10 minute lifetime, then 10 minutes later, that session will end, and you must reauthenticate again. So, 10 minutes means reauthenticating 6 times each hour, 48 times per work day. :( > IE7 does have a "forget sessions" button. I'd like to see a > reasonable thing implemented as well in Firefox. FF has had this feature for years. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
