May I suggest that we who have spent considerable time and list band-with on this topic try to summarize it in a public working document for other people to study?
Since we don't agree on all issues and their possible solution(s), it is reasonable to include contributor(s) for each issue. Here are some possible issues: -------------------------------------------------- Issue: That TLS-client-cert-auth sessions and conventional (cookie-or URL-based), web-sessions are two different ways of keeping authenticated sessions alive, contributes to considerable confusion for web-app developers. Solution: ? -------------------------------------------------- Issue: The browser-vendor-defined certificate selector interface for TLS-client-cert-auth is usually quite different to its counterpart in the cross-browser proprietary signature plugins used in the EU. This (together with other factors) have made equally proprietary authentication plugins a reality for large PKI like used by Swedish banks (5M+). Solution: One solution would be to define signature support as a browser component. -------------------------------------------------------------------------------------- FF issue: It seems that the AIA ca issuer extension is not supported. This complicates server-setups alternatively requires the end-user to install immediate CA certificates. Solution: Update FF. Could preferably be a part of HTTPS. Anders Rundgren -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
