On 2009-10-07 10:32 PDT, Kyle Hamilton wrote: > > The problem with this analysis is that I have yet to see any situation > where Mozilla's client certificate support meets *anyone's* needs.
Well, of course, we don't hear from the people for whom it works. We only hear from those for whom it doesn't. > [...] it imposes Mozilla's policy on end-users and organizations > (what is this about "if it's expired or revoked we don't send it"? Kyle, Eddy claims that Firefox checks the user's own local cert for revocation. I claim it does not. I claim that it neither checks the cert for revocation, nor that the cert has a valid chain up to a CA trusted to issue client certs. It does check for expiration of the client's cert, and of course, it only sends certs that are issued by the CAs named by the server (when the server names any CAs) because that is a requirement of the SSL/TLS protocol. I *know* that it does not check that the cert is issued by a CA that is trusted for client auth, because in Firefox, NO CAs are trusted for client auth. (Does that surprise you?) There's not even a way in Firefox to mark CA certs as trusted for client auth, because that's a server configuration decision, not a browser decision. And in the absence of that trust, checking a cert for revocation is pretty tough. :) So, before you go any further out on that limb, I suggest you do some tests and see for yourself what Firefox does, or does not, in the way of deciding which certs are suitable for client auth. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
