On Mon, Oct 5, 2009 at 11:38 AM, Eddy Nigg <eddy_n...@startcom.org> wrote:
>> I don't think anyone is doubting that both FF and IE have some problems >> with the way they handle client auth. Most of these problems can be >> worked around on the server (use request, not require, through an error >> page if the cert you wanted wasn't the cert you got). >> > > I know, we however prefer a hard require for some reasons. Obviously what > you suggested is only a work-around for a relative broken UI :S Well, the question here, Eddy, is: Does your TLS layer's hard require actually produce a useful error alert, as enumerated in my earlier email? Or does it just send the "handshake failure" alert on all certificate failures? If it sends only "handshake failure", your server software is part of the problem, and not at all part of the solution. (And security needs to be a pervasive, systemic thing, not something like a firewall to simply prevent access to more meaningful information otherwise available. Even Microsoft managed to get this one right with their PC Health stuff in Server 2008's Remote Access: if the user's system doesn't report "healthy", then the same ipsec VPN connection could be dropped... or, as a recommended Best Practice, it can be redirected to another network that might have tools such as virus scanners, malware scanners, and patches available to bring that client machine back up to health. You already keep track of what is clicked by each user... how about keeping track of the failures that each IP has, and figuring out what your system's TLS layer is sending back?) -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
