On Wed, Oct 7, 2009 at 4:11 PM, Ian G <i...@iang.org> wrote:
I *know* that it does not check that the cert is issued by a CA that is
trusted for client auth, because in Firefox, NO CAs are trusted for
client auth. (Does that surprise you?)
Yes!
why? Firefox doesn't have clients, so it doesn't need to authenticate clients.
There's not even a way in Firefox
to mark CA certs as trusted for client auth, because that's a server
configuration decision, not a browser decision.
Ah! So what is the policy for adding roots in that configuration to
Firefox?
Firefox does not have clients. Firefox *is* a client. Since it's not a
server, it doesn't have any reason at all to try to check client certificates.
Thus, there's no reason for a policy to admit CAs that will be allowed to check
web client certs -- as Nelson says, that's up to the webserver operator's
security policy. The server may choose to only allow internal-CA-signed certs,
or it may elect to accept StartCom, or it might even elect only to accept
StartCom's WoT intermediate CA. (This is very much like the Navy having its
own central CA, and a system that the Army doesn't need to have access to won't
trust the Bridge CA that would otherwise allow Army-issued certificates to
authenticate.)
This is why PSM doesn't have any flag associated with 'allow to validate client certs'.
Thunderbird and friends, on the other hand, do have a reason to validate them. In their case,
they're "validating email users", which is the closest that Firefox comes to validating
"client web authentication". The only problem:
TLS Web Client Authentication (1.3.6.1.5.5.7.3.2)
E-mail protection (1.3.6.1.5.5.7.3.4)
The OIDs are different.
-Kyle H
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
