On 22/3/09 00:32, Eddy Nigg wrote:
On 03/22/2009 12:55 AM, Ian G:
I don't know about these things, but I recognise that badly configured
servers are a pain. The servers I have experienced this with are
Apache. They may be misconfigured, but the sysadms aren't agreeing at
the moment, and talking about the sysadms being "bad" isn't going to
help; they are no better nor worse than the other ones I've known.
Now I have to disagree strongly with you. Servers must be configured no
matter what. No server comes with a correctly installed server
certificate for example, nor is a server tuned to serve your specific
content. Server MUST be configured otherwise they don't
work....including client cert auth. Incidentally your sys admin must
have configured the server in question to request client cert auth
because NO server asks for client certificates in their default
configuration...so give me a break and kick your sys admin... (most
likely he doesn't have a clue about what he is doing, but that's another
story I guess)
You can disagree, fine. I even hate it. I despise the notion that
someone can download and install software, pretend to be an expert, and
get it going within maybe an hour, with no clue as to how it works.
That's not how it was in my day!
But that is the state of the world, today. Most sysadms work the
servers to the point where they appear to be working, then move on.
Their bosses don't let them do anything else. If they want to learn,
that's on their own time.
So who's to blame here? The sysadm that doesn't know, the server
producer that produces an unintelligible configuration mess, or the boss
that lets such nonsense go on at shareholder's expense? ICANN for not
forcing every sysadm to have a driver's licence?
And even when the Apache config is "fixed", this is just the
server-side workaround.
LOL...a misconfiguration server will ALWAYS make you problems...any
misconfigured software will. This is not a work-around, in your
situation it's most likely THE solution.
Well, yes, to the first. No to the second. The more I read about this
problem, the more I find there are core issues around selecting the
right cert. Think about it; the current Firefox config for client
certs is broken if it cannot accurately guess which cert is required. Oops.
Read that page, it is quite comprehensive, Robert Relyea went to town on
this one, someone really stuck a bee in his bonnet, maybe his boss who
wanted to know why client-certs never work properly :)
This only means I have to hit a pop-up once every day, it doesn't
solve the fundamental problem: I want to use cert X speaking to server Y.
It's the other way around, but I can offer you support for a reasonable
fee to have your server configured accordingly...
Sigh. It isn't about me, it's about all the other servers and about all
the other bugs. But I'll bet there is a market opportunity for you if
you can run one of those spider programs, hunt down all the
misconfigured servers, and offer them a reconfig for a reasonable fee?
Do you really imagine that those ideas have not already been
considered by
the browser folks, many times, long ago?
Hmmm, well, many questions abound: why wasn't it done? where was this
discussed? Why didn't client certs just happen? Why are we still using
passwords?
Good question....it's because it's so much more convenient and everybody
is doing it...but guess what, some thought leaders and some leading
projects are working on having that changed.
But there is indeed no logic to defend Paypal and your bank with XYZ
measures as long as they use useless user/pass pairs.
Right, so at least we are agreed that client certs did not take off. As
Kyle would put it, then, the assumptions must have a problem - which you
would seem to be preferring as "refer to OpenID" if I'm not mistaken.
Don't get me wrong. I'm interested in OpenId. I'd like to understand
how it works (which probably means at the protocol level).
But, to me it looks like proof that client cert auth (c-c-a as Anders
called it) has failed to take off. Can't we fix that? Or at least,
can't we recognise that c-c-a doesn't work alone?
But in the end of
the day it's all a question of risk assessment and the price you are
willing to pay and that of the insurance. Once that price goes up there
are viable solutions like client certs...
Oh. Um. Oh dear. You too.
Do you see client certs as products for big corps and gov.ts, too, only?
Am I alone here in my understanding of "Mozilla of the people, for the
people, by the people?" Are we only here to serve the sales of product?
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
