On 10/07/2009 07:25 AM, Kyle Hamilton:
Your comments suggest to me that NSS (and Firefox) *should not* be
enforcing any checks on the certificates, other than noting that
they're expired or revoked to the user in the certificate selection
dialog. If it has only one certificate that matches the issuer, but
it's expired... maybe the site that they're trying to get to is the
site necessary to renew it? How is that site supposed to know which
expired user credential to renew? (Username and password?!)
Whoo? Well...most likely you must renew before it really expires...
Under a strict reading, this is only supposed to happen when there are
no shared ciphers.
Perhaps not sending a certificates means that there is no shared cipher?
Most funny is, when you don't want to chose any of the certificates for
authentication and you hit "Cancel" Firefox nevertheless decides to sent
a "Go new cert" message. But it's so brain-dead today, when you want to
try it again and you had by mistake the default remember flag on,
Firefox will automatically send "Go no cert" and doesn't let you chose a
certificate this time around.... :-)
All you can do in this case is close the browser - even if you hit Cancel...
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
XMPP: start...@startcom.org
Blog: http://blog.startcom.org/
Twitter: http://twitter.com/eddy_nigg
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
