Re: Certificate usage guide

Thu, 05 Nov 2009 11:52:58 -0800
Kyle, it seems that fixing this situation is one of the main reasons for communities like this one. 


We need a specific inventory (a big one, yes I know) of problems and 
workarounds. For example, I sometimes use a Vista machine that uses 
Norton AV, and it appears that Norton blocks OCSP. How does one get 
around that without turning off AV? Anyone know?


Barbara is here to collect all that information.

Wes Kussmaul

aerow...@gmail.com wrote:

Let's see.  Difficulties:  Everything.


Management of expired certificates, both your own and others'.  
Management of revoked certificates, both your own and others'.  
Management of keys.  Management of certificate requests.  Management 
of multiple certificates with differing Subjects, on a browser you use 
for multiple purposes.



Servers: I've yet to see any way to rekey or even recertify an Apache 
httpd process without requiring a shutdown/restart (graceful, 
certainly, but not good for high availability).



Clients: What uses them?  What software uses it, either as a TLS 
authentication or an S/MIME mechanism?  What communities use it?



Y'know, I first started getting involved with creating an SSLeay CA, 
for my organization, in 1997.  It's TWELVE YEARS LATER, AND THERE HAS 
BEEN NO APPRECIABLE IMPROVEMENT IN THE CLIENT CERTIFICATE USER INTERFACE.


My apologies for being appalled at this state of affairs.

-Kyle H

On Thu, Nov 5, 2009 at 9:44 AM, Wes Kussmaul <w...@authentrus.com> wrote:

All,

Let me introduce Barbara Mende.


Barbara is producing a guide for users of digital certificates, 
particularly
client certificates, that we hope will be instrumental in getting 
them more

widely adopted. Currently Barbara is collecting information about

"certificate gotchas," difficulties experienced by users in the 
creation,

installation and use of digital certificates, and the workarounds and
solutions to the problems.

If you have ideas, information or sources of information that would be
useful to Barbara in this effort, please send them to her at

bme...@reliableid.com. She is also on this list, if the subject is 
worthy of

discussion here.

Wes Kussmaul
Reliable Identities

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto






















					Reply via email to