On 03/21/2009 10:43 PM, Nelson B Bolyard:
The consensus of which you speak is actually a consensus among users of
those crappy servers that, with those servers, client auth is unusable.
I am part of that consensus. But I do not agree that changing the
client to reward crappy servers is any part of the solution. And I
"vote with my wallet" on all those crappy servers. I won't use them.
Wowowow.....slow down a bit my dear friend. As I would defend Mr.
Bolyard and this team elsewhere I'm going to defend Mr. Engelschall and
his crew here...interestingly both are serving a similar community and
work in a similar eco-system.
Just for your knowledge, those crappy servers you are attacking here are
serving the majority of web sites. The crappy server, aka A-Patchy
server is very well tested and in use at millions of service and content
providers.
Now, I'm going to ask you the same questions you asked others in similar
situations:
* Did you debug the problems between those servers and NSS/Firefox?
I guess you are the most capable person to do so!
* Did you file bugs?
* Did you provide patches?
* Did you contact Ralf to find out how the situation could be improved?
Maybe you did and I would be glad to know about it. If you didn't than
there is certainly some room for improvement for the benefit of ALL of
us here.
Doing client auth the hard way on every connection is MUCH WORSE in CPU
cost than ordinary SSL/TLS without session reuse. If people perceive (as
some do now) that using SSL/TLS client auth means doing a full handshake
with TWO RSA computations on every connection, they will never adopt it.
And that what some STUPID CRAPPY servers do now. But it's unnecessary.
Well, if I recall correctly it was IIS and IE which did EXACTLY
that...that was the situation at least a few years ago and I wouldn't be
surprised if this hasn't changed today either. IE would always send the
same certificate upon every request once a certificate was chosen. And
it did that many, many times over. Just nobody noticed (or cared)
because it just sent the client cert over every time...
Any server problem is always blamed on the browser. That's the oldest
lesson of the web, bar none. But that doesn't mean that the browser
should change for every crappy server that comes along. It's fine for
Darwinian selection to let those servers die out. There's no need for
browsers to try to keep those crappy servers live longer.
I think real action is needed instead. Because I guess those servers
won't disappear overnight and neither does NSS/Firefox. How about
solving those problems once and for all? With some goodwill it shouldn't
be all that difficult in my opinion. Or is the hardest part getting a
few prominent crypto coders together and have them agree how to solve
them? As for me, I wouldn't be surprised to learn that both software
would benefit and perform some code changes once the problems are
clearly recognized.
--
Regards
Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog: https://blog.startcom.org
--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto
