On 03/17/2009 01:55 PM, Ian G:
Hi all,
I'd like to ask a couple of questions to those people closer to the
development effort. I spent some hours trying to get a couple of
users up and going on the weekend using client certs and ff/tb
combinations. On the Firefox side, there were problems because of the
popup madness where every click resulted in request(s) to confirm the
certificate [1].
Doing some research on bugzilla, it transpires that the default is to
always ask before using a client certificate, because otherwise we
have a privacy issue.
<https://bugzilla.mozilla.org/show_bug.cgi?id=295922> Now, this is a
bit of a killer issue, because the certs probably have info in them,
and there are obvious harvesting possibilities [2] [3].
However, the fix is to turn on the "ask always" default, which makes
client certs unusable [4] because every click there is a request for
confirmation, and sometimes there are several clicks.
Most likely you have an issue with the cache of the server side.
Incidientially we solved this issue entirely different since the session
cache handling isn't too reliable and at times indeed can be annoying.
So we have seem to have a choice: client certificates are unusable
because they always ask, or they are unusable because they always leak
private info. There is no middle ground.
That's not the issue here.
[1] On the Tb side there were problems in moving a cert out of Ff to
Tb. Ff backup mechanism did not work for "unknown reason".
For backup issues you should file a bug or look for an existing one.
However I haven't seen any problems on current nightly at least.
[2] Laws in Europe might also impact this in various and complicated
ways, c.f. the Danish context in that bug.
That's again something else, because they produced an extension changing
some expected behavior IIRC.
[3] Also, the current UI provides no advice of the problem, so the
user is completely unaware of the implications here. I personally
have turned on the feature without thought, and have been advising
users "yes, turn it on, until Mozilla fixes that bug properly..." :-(
See above, your advice is wrong.
[4] There is some discussion about session caching, and it may be true
that there are server problems to be sorted out. But as far as I can
see, most of the sites that I deal with have this issue, so it may
bounce back to being a client-side issue regardless of what we say.
That's because Apache's default cache timeout is set to 30 seconds or
so. And might be buggy in addition to that.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
