On 18.04.2009, at 10:28, Kyle Hamilton wrote:
It is also conceivable that the server should be able to specify
which sites
the certificate can be used for. A common usability problem with
client
certificates in SSL/TLS is selection of certificate, particularly
when you
have many certificates. A list of hostname:port pairs would
probably be a good
way to ease that (the SSL/TLS server can also specify which CAs it
prefers to
the certificate was issued by, but nobody is currently using that
capability).
A list of such sites provided at generation time might help the
user in cases
where the SSL/TLS server does not specify preferred CAs.
It seems like we should encourage people to use the existing
feature you
mention rather than adding more features to do effectively the same
thing.
The "existing feature" is a list of external authorities that the site
trusts, rather than necessarily showing "all".
FYI, Apple has made it virtually impossible to use smart cards with
Safari because of *requiring* such configuration on the client side
(host:port configuration for every certificate for every site where
you want to use it).
With Firefox I can configure my client once and my wife can use her
card in the same account by just changing the card in the reader. With
Apple, I can't do it as one Mac user account can have only one
certificate defined for a website profile. It might be a "privacy
enhancing" but it sure is usability busting feature.
For me, CA list from the server and a "common sense" implementation by
the client is pretty OK for SSL.
--
Martin Paljak
http://martin.paljak.pri.ee
+372.515.6495
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
