On 21/3/09 22:19, Eddy Nigg wrote:
On 03/21/2009 09:32 PM, Ian G:
On 21/3/09 16:54, Eddy Nigg wrote:
Well, I just thought that I'd remind you about how outraged you were
when I said the same thing....
I know I know, I apologise... I tried, but was stopped for reasons
without value here today.
besides that such comments were seen
allover many times and I think it's just a funny expression. Perhaps you
should offer to both of us some of your stuff so we'll have some fun
together ;-)
Right, the problem perhaps is better expressed that some of these
comments *aren't written with emoticons at the end* so it is not easy
for those from diverse cultures to figure out the joke. Oh, and I save
my stuff for those that appreciate fine red wine ;-)
Now, to the problem. It seems that we have a consensus that client
certificates (in a client authentication role at least) are unusable
with the current system.
I think that the word unusable is far too strong. See, there are
improvements possible and most likely should be made at various levels,
but unusable? I can claim tens of thousands of active accounts using
nothing else than client certificate authentication. In the OpenID space
I know about Verisign and some other providers offering them too - with
StartSSL being a provider based solemnly on client cert authentication.
I agree that unusable is strong, even debatable.
I suspect those who have got it working have either clicked on the
button that says "present always", or they are working in a strict
corporate or government environment where local solutions can develop
(which Nelson pointed to). Or perhaps it is OpenId and the answer is we
must all adopt that?
Either way, it seems as though all those caveats have problems: Clicking
the button cannot be recommended because it is a privacy risk. Once we
know about that privacy risk, and once we agree that we cannot mitigate
it, well, it is now impossible for any privacy oriented organisation to
recommend its use.
Corporate/ government is fine, but that's not Mozilla, that's Microsoft;
wrong list, sorry. OpenID? What's that, and what's wrong with client
certs *as client certs*? Etc etc.
And, the way forward is more UI support [1], as suggested by Johnathan.
Yes, I think Johnath has a few ideas to make the UI better...
Good. Er, are you saying we should just let him get on with it, without
discussion here? If we're all cool with that, that's fine by me, we can
take it offline ;-)
Now - long pause, deep breath - everything below which you mention
sounds to me as if you are trying to invent client certificate
authentication once again from scratch...well, it already exists and
mostly works fairly well...most of it below works more or less the way
you would like it to be...not sure what I'm missing or if you are
missing something here...
Super. Point me to it. Where in my UI do I get it to work "mostly
well" ... as you say, it must be there, I just need the way to find it?
I am certainly missing this. Please, tell us where it is? How do I set
the "use cert X with site Y always" feature?
...or perhaps indeed learn to configure your servers properly and get
some advice on application programming, middle-ware, protocol layers and
sessions...
See, now you are distracting yourself ;-)
*I* don't have the servers, and therefore I can only follow Nelson's
advice and complain. Guess what, they ignore the complaints, coz it
works for them. Also, I want a solution for all of Mozilla's 150m
users, not yet another hate campaign against the server people, who
haven't forgiven me for the last one. Some advice on application
programming ... lol, gee, if that worked we wouldn't be where we are
now: 99% dependent on the good old password.
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
