Today's harvest :-)
HTTPS client-certificate-authentication in browsers
===================================================
I don't believe that TLS CCA (Client Certificate Authentication) in the
form of HTTPS as implemented in current browsers has much of a future.
In fact, quite a bunch of the entities in the EU working with consumer PKI
have replaced HTTPS CCA with an application level scheme{1].
That the TLS CCA protocol doesn't even support "Logout" haven't made
it a logical choice for web developers either. Well, there are some
workarounds but they are by no means straightforward, supported
out-of-the-box by server authentication schemes, and are (of course)
entirely undocumented.
The button "Clear SSL state" in MSIE is an indication how horribly bad it
can go when security experts design systems for "people".
There's no way you can hide the fact that TLS CCA is only truly useful
securing tunnels between "boxes".
Anders
[1] which wasn't such a big deal since they anyway were forced writing
a browser PKI client more or less from scratch since the ones shipped
with browsers doesn't support PKI as defined by banks and government
(like mandatory PIN codes also for on-line enrolled keys).
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
