Re: why client certs

Wed, 07 Oct 2009 16:11:39 -0700 

On 07/10/2009 22:09, Nelson B Bolyard wrote:

On 2009-10-07 10:32 PDT, Kyle Hamilton wrote:


The problem with this analysis is that I have yet to see any situation
where Mozilla's client certificate support meets *anyone's* needs.


Well, of course, we don't hear from the people for whom it works.
We only hear from those for whom it doesn't.



I demur!  It works for me, and therefore I grumble loudly.


If it didn't work I wouldn't say a thing (as a user).  I wouldn't be 
here, I'd off be using something that worked.



Of course, this might be one of those pointless arguments about the 
meaning of the word "meaning" :)



The way I see it, perfect is impossible, and with this design we have, 
perfect is dreamland.  Non-working isn't there either, the stuff works 
in the laboratory, and with very patient technical users, or corporate 
compliance-units.



We are somewhere in between.  It is wrong to to assume we are at the 
perfect end, as is so often done.  Or the total-non-working end, as is 
done by the PKI detractors :)


Question is ... where do we want to go from here?



[...] it imposes Mozilla's policy on end-users and organizations
(what is this about "if it's expired or revoked we don't send it"?


Kyle,  Eddy claims that Firefox checks the user's own local cert for
revocation.  I claim it does not.  I claim that it neither checks the
cert for revocation, nor that the cert has a valid chain up to a CA
trusted to issue client certs.  It does check for expiration of the client's
cert, and of course, it only sends certs that are issued by the
CAs named by the server (when the server names any CAs) because that is
a requirement of the SSL/TLS protocol.

I *know* that it does not check that the cert is issued by a CA that is
trusted for client auth, because in Firefox, NO CAs are trusted for
client auth.  (Does that surprise you?)


Yes!



There's not even a way in Firefox
to mark CA certs as trusted for client auth, because that's a server
configuration decision, not a browser decision.




Ah!  So what is the policy for adding roots in that configuration to 
Firefox?




And in the absence of
that trust, checking a cert for revocation is pretty tough. :)

So, before you go any further out on that limb, I suggest you do some
tests and see for yourself what Firefox does, or does not, in the way of
deciding which certs are suitable for client auth.



Nod vigourously!

iang
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to