[restricted the Cc's to the mozilla lists] Arshad,
On Fri, Sep 07, 2007 at 10:04:53AM -0400, Arshad Noor wrote: > Do you presume that the websites in the domains that you intend > to track users will install the self-signed CA certificate that > issued the client-certificate to the unsuspecting user? If not, > how will the browser know which client certificate to send to > the website during client-auth? The typical user does not have a client authentication certificate, so after installing one for him, the browser will send that out to anyone who is asking. > And what happens to the users > who do not have have client-certs issued by this CA when they > attempt to connect to the site? Nothing, you can keep it configured as optional on the webserver. Best regards, Alex -- Dipl.-Math. Alexander Klink | IT-Security Engineer | [EMAIL PROTECTED] mobile: +49 (0)178 2121703 | Cynops GmbH | http://www.cynops.de ----------------------------+----------------------+--------------------- HRB 7833, Amtsgericht | USt-Id: DE 213094986 | Geschäftsführer: Bad Homburg v. d. Höhe | | Martin Bartosch _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
