Ian G wrote, On 2009-03-21 15:55: > I don't know about these things, but I recognise that badly configured > servers are a pain. The servers I have experienced this with are > Apache. They may be misconfigured, but the sysadms aren't agreeing at > the moment, and talking about the sysadms being "bad" isn't going to > help; they are no better nor worse than the other ones I've known.
There are many web pages out there that are "cookbooks" for how to set up servers to do this and that. Many of them are full of errors, but to other server admins, these cookbooks are treated like Gospels. When the cookbook formula doesn't work well, the admins don't say "Dude, your cookbook sucks". They say "those browsers sure suck". > And even when the Apache config is "fixed", this is just the server-side > workaround. This only means I have to hit a pop-up once every day, it > doesn't solve the fundamental problem: I want to use cert X speaking to > server Y. And I want that written down, stuck in the browser's mind. > Fixing the server does not make that so. I agree that the user should not need to make that choice every day. He should be able to do so, and should be able to change his configuration easily any day, but he should not need to do that daily. There are RFEs about this, some for browsers, some for Thunderbird. Here's the TB RFE: https://bugzilla.mozilla.org/show_bug.cgi?id=437683 BTW, this client auth problem is MUCH MUCH worse for Thunderbird users than for browser users, because evidently a higher percentage of free email servers are crap. I'll have to dig a bit more for the FF one. I think there's more than one for FF. >> If the clients go along and make this crap invisible, silently causing >> the servers to spend that extra CPU cost, that will GUARANTEE that SSL/TLS >> client auth is forever branded as too slow and too expensive. > > Surely that's perfect for us? Uh, Noooo... > If the clients cause the server that pain, the server admins will ask > around as to why their servers are so slow, and be told the obvious: > Just reconfig your server to have a longer timeout on session, Dude! No, they'll ask around and hear "I don't know, Dude, we're following the cookbook so those browsers must be crap." Group think. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto