Re: client certificates unusable?

Sat, 21 Mar 2009 16:35:11 -0700 

On 03/22/2009 12:55 AM, Ian G:
I don't know about these things, but I recognise that badly configured servers are a pain. The servers I have experienced this with are Apache. They may be misconfigured, but the sysadms aren't agreeing at the moment, and talking about the sysadms being "bad" isn't going to help; they are no better nor worse than the other ones I've known. 


Now I have to disagree strongly with you. Servers must be configured no 
matter what. No server comes with a correctly installed server 
certificate for example, nor is a server tuned to serve your specific 
content. Server MUST be configured otherwise they don't 
work....including client cert auth. Incidentally your sys admin must 
have configured the server in question to request client cert auth 
because NO server asks for client certificates in their default 
configuration...so give me a break and kick your sys admin... (most 
likely he doesn't have a clue about what he is doing, but that's another 
story I guess)





And even when the Apache config is "fixed", this is just the 
server-side workaround.



LOL...a misconfiguration server will ALWAYS make you problems...any 
misconfigured software will. This is not a work-around, in your 
situation it's most likely THE solution.




  This only means I have to hit a pop-up once every day, it doesn't 
solve the fundamental problem:  I want to use cert X speaking to 
server Y. 



It's the other way around, but I can offer you support for a reasonable 
fee to have your server configured accordingly...



Do you really imagine that those ideas have not already been 
considered by

the browser folks, many times, long ago?




Hmmm, well, many questions abound:  why wasn't it done?  where was 
this discussed?  Why didn't client certs just happen?  Why are we 
still using passwords?





Good question....it's because it's so much more convenient and everybody 
is doing it...but guess what, some thought leaders and some leading 
projects are working on having that changed.



But there is indeed no logic to defend Paypal and your bank with XYZ 
measures as long as they use useless user/pass pairs. But in the end of 
the day it's all a question of risk assessment and the price you are 
willing to pay and that of the insurance. Once that price goes up there 
are viable solutions like client certs...


--
Regards

Signer: Eddy Nigg, StartCom Ltd.
Jabber: start...@startcom.org
Blog:   https://blog.startcom.org

--
dev-tech-crypto mailing list
dev-tech-crypto@lists.mozilla.org
https://lists.mozilla.org/listinfo/dev-tech-crypto





























					Reply via email to