On 07/10/2009 13:24, Eddy Nigg wrote:
On 10/07/2009 07:25 AM, Kyle Hamilton:
Your comments suggest to me that NSS (and Firefox) *should not* be
enforcing any checks on the certificates, other than noting that
they're expired or revoked to the user in the certificate selection
dialog. If it has only one certificate that matches the issuer, but
it's expired... maybe the site that they're trying to get to is the
site necessary to renew it? How is that site supposed to know which
expired user credential to renew? (Username and password?!)
Whoo? Well...most likely you must renew before it really expires...
Or, maybe the site accepts that certificate only on the basis of
renewing it?
Might be more practical.
(And, contractually, they are precisely the two parties who are
empowered to agree to variations in the contract :)
Under a strict reading, this is only supposed to happen when there are
no shared ciphers.
Perhaps not sending a certificates means that there is no shared cipher?
Right, what does it mean, one wonders?
Or, to cut the gordian knot of meaning, it should tell the user "I the
browser shut down the session, and here's why. X,y,z. Workarounds: Get
another certificate, or adjust the params in XYZGUI, or feed clue to
serveradmin."
iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
