On Wed, Oct 7, 2009 at 6:57 AM, Ian G <i...@iang.org> wrote: > On 07/10/2009 15:46, Anders Rundgren wrote: >>
>> Ian G wrote: >>> For Mozilla, which should be interested in end-user security, an >>> entirely different subject to client-wallet security, this should be >>> much closer to something interesting. >> It should but it isn't since nobody from Mozilla (unlike Microsoft), has >> shown any interest in why government agencies including UPSTO *do not* >> use browsers' built-in client-PKI support. > > I actually am fine with that. It isn't in Mozilla's interests to support > everyone's needs; just a certain class of needs. I think the needs of the > downloading 150m or 200m (?) is quite sufficient without dragging in the > arcania of compliance thinking that bedevils the agencies. > The problem with this analysis is that I have yet to see any situation where Mozilla's client certificate support meets *anyone's* needs. It doesn't support secure provisioning, it doesn't support ease of access, it imposes Mozilla's policy on end-users and organizations (what is this about "if it's expired or revoked we don't send it"? What about when a certificate is *un*revoked? What about when the certificate that is expired is taken into account by the designers of the system that it interfaces with such that it could do a "silent" renewal?), and it is completely unwarranted to impose policy in the generic software where policy is imposed externally. For the analogue of why this last is THE WORST issue, take a look at Microsoft's password policy concepts: A checkbox in the User Manager [for Domains], "user must change password on next login". The messages that are shown to the user: "Your password expires in 5 days." "Your password has expired, and must be changed." That last message implies the following policy: "I know that the password has expired. It's expired recently enough that I still have enough faith in the ownership of the account that I can authorize a credential change, but I cannot allow the current credential to remain valid -- and as soon as I change my records, it won't be." This is also an issue to bring up with the CAB Forum: Why won't the member Browser vendors do anything useful to change their completely worthless, confusing, and high-training-cost zeroth-generation certificate selection interfaces to better support non-server certificates issued by the member CAs? -Kyle H -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
