On 10/07/2009 10:09 PM, Nelson B Bolyard:
Kyle, Eddy claims that Firefox checks the user's own local cert for revocation. I claim it does not. I claim that it neither checks the cert for revocation,
Did you check? Try OCSP hard fail...I'm not against it at all, just the messages must improve a bit perhaps.
nor that the cert has a valid chain up to a CA trusted to issue client certs.
That's perhaps catchy to some extend. I believe for client cert auth the browser must trust the root to where it connects to, I've never tried to use an untrusted cert at our authentication since it requires hard requirement.
It does check for expiration of the client's cert, and of course, it only sends certs that are issued by the CAs named by the server (when the server names any CAs) because that is a requirement of the SSL/TLS protocol.
Right.
And in the absence of that trust, checking a cert for revocation is pretty tough. :)
Check it out. If the root is trusted and the client cert has an OCSP AIA URI it checks.
-- Regards Signer: Eddy Nigg, StartCom Ltd. XMPP: start...@startcom.org Blog: http://blog.startcom.org/ Twitter: http://twitter.com/eddy_nigg -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
