On 10/04/2009 08:57 PM, Eddy Nigg wrote: > On 10/05/2009 05:49 AM, Eddy Nigg: >> >> So the server sent a nice error page as you say, most browsers >> including Firefox and Explorer will have to be completly restarted in >> order to authenticate again. Or the servers session is set to a very >> short time like 10 seconds, which has other drawback's perhaps. >> > > Sorry for the spam, but I'm correcting myself here, setting a short > session will NOT help because the browsers (FF, IE and maybe others) > will send the same certificate (chosen the first time) simply over and > over again. Only RESTARTING the browser will help. FF does not just resend the same certificate unless you have 'Select Automatically' turned on.
I don't think anyone is doubting that both FF and IE have some problems with the way they handle client auth. Most of these problems can be worked around on the server (use request, not require, through an error page if the cert you wanted wasn't the cert you got). The current problems we have in the browsers are: 1) EI never let's go a certificate decision for a website unless you restart, go go to the magic page which clears all of the EI cert decisions, and 2) Firefox never remembers the certificate you selected, so your only choices are to have firefox silently always select a certificate, or always prompt the user on each renegotiation (which is painful for many servers which seem to always drop the session). In any case we are still talking 2 different issues. (both of which need work). bob
-- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
