On 03/22/2009 01:51 AM, Kyle Hamilton:
Because the means of configuration isn't easy on the server side.
Easy is a relative word...it's easy enough for me to configure the server side in two minutes.
Because it means having to manually put the certs that one wants to allow to authenticate other certs in the server configuration directories.
I'm not impressed so far...is that the difficulty you are describing?
Because the server is hard to configure to do CRLs and/or OCSP. Because the CRL still needs to be fetched, usually as a cron job.
So? There are many applications which typically run some cron jobs...
Because the server still needs to maintain its own local database of accepted/trusted users.
It depends greatly on the requirements, policy and environment. But maintaining a database of users is not something you don't have to do otherwise, so again I don't understand the difficulty here.
Because there's no guarantee that a Subject will remain the same Subject, so there's no easy way to map a Subject to a local user.
Oh, it's very easy...you've got immediate issuer, root, subject, not difficult either. Don't you need to map your user/pass pairs upon change too?
Because there's no guarantee that a Subject is the same as another Subject based on CN or any other individual part of a Subject, so there's no easy way to protect privacy using only portions of the Subject.
That's not a server side problem, that's a CA side, policy issue I guess. But I didn't understood the problem here too. Why should this be a problem (for your bank, paypal, whoever)?
The problem isn't just on the server side, it's not just on the client side, it's also on the CA side. The CA/B forum should have brought Server vendors into the mix, too, to explain their plights.
I guess that they don't care at the moment about those issues. -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
