My apologies, I thought we were discussing the alert protocol in
general, as relates to TLS and how to tell the client what's going on,
not specifically Firefox's/NSS's behavior. It's important to get an
understanding of what's going on before trying to decide whether any
change is necessary. I'm thinking that it is, though.
Your comments suggest to me that NSS (and Firefox) *should not* be
enforcing any checks on the certificates, other than noting that
they're expired or revoked to the user in the certificate selection
dialog. If it has only one certificate that matches the issuer, but
it's expired... maybe the site that they're trying to get to is the
site necessary to renew it? How is that site supposed to know which
expired user credential to renew? (Username and password?!)
Otherwise, the only alert that's sent from the server to client or
client to server is "handshake failure". Which is the biggest
catch-all term:
handshake_failure
Reception of a handshake_failure alert message indicates that the
sender was unable to negotiate an acceptable set of security
parameters given the options available. This is a fatal error.
Under a strict reading, this is only supposed to happen when there are
no shared ciphers.
(I will also note that SSLv3 defined a "no_certificate" alert, which
is only maintained for the number that it was assigned, and which must
not be used in TLS. I'd bet that there's a lot of discussion in the
archive of the pkix working group's tls list about why it was dropped,
but I was not subscribed at the time it was discussed so I'm not
certain.)
-Kyle H
On Tue, Oct 6, 2009 at 6:13 PM, Eddy Nigg <eddy_n...@startcom.org> wrote:
> On 10/07/2009 02:04 AM, Kyle Hamilton:
>>
>> There is absolutely *NO*
>> requirement that the client send a currently-valid certificate, and
>> it's up to the server to detect that.
>>
>
> Errrr, btw, that's not entirely correct because the client does perform many
> checks. Obviously SHOULD the client send something which is not within the
> list of accepted certificates or SHOULD the client send an expired
> certificate, it's indeed the servers task to detect that and return an
> appropriate response. The point is, that in 99.9% of all cases Firefox makes
> a decision before sending anything. Some versions of Explorer (maybe all)
> pop up the certificates list dialog, which is empty in that case. Same
> result, except in that case the user might guess that it couldn't chose
> anything, hence there might be something missing.
>
> --
> Regards
>
> Signer: Eddy Nigg, StartCom Ltd.
> XMPP: start...@startcom.org
> Blog: http://blog.startcom.org/
> Twitter: http://twitter.com/eddy_nigg
>
> --
> dev-tech-crypto mailing list
> dev-tech-crypto@lists.mozilla.org
> https://lists.mozilla.org/listinfo/dev-tech-crypto
>
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
