On 10/06/2009 08:44 PM, Kyle Hamilton:
On Mon, Oct 5, 2009 at 11:38 AM, Eddy Nigg<eddy_n...@startcom.org> wrote:
I don't think anyone is doubting that both FF and IE have some problems
with the way they handle client auth. Most of these problems can be
worked around on the server (use request, not require, through an error
page if the cert you wanted wasn't the cert you got).
I know, we however prefer a hard require for some reasons. Obviously what
you suggested is only a work-around for a relative broken UI :S
Well, the question here, Eddy, is: Does your TLS layer's hard require
actually produce a useful error alert, as enumerated in my earlier
email? Or does it just send the "handshake failure" alert on all
certificate failures?
If it sends only "handshake failure", your server software is part of
the problem, and not at all part of the solution.
I don't think so....what would you expect in return if all the browser
sends (if at all) is "I have no certificate".
How many different responses do you expect instead? The server has no
telepathic capabilities in order to guess if the client has
* an expired certificate
* root not trusted
* intermediate missing (OK, we took care of that one)
* certificate revoked
* no certificate at all
You already keep track of what is
clicked by each user... how about keeping track of the failures that
each IP has, and figuring out what your system's TLS layer is sending
back?)
I suspect that won't help...it will be always the same. Be assured that
if a certificate was revoked and the client sends it nevertheless
(because he turned of OCSP checking for example), the system produces an
error accordingly. But those are the minority of instances.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
