On 03/22/2009 07:25 PM, Anders Rundgren:
May I suggest that we who have spent considerable time and list band-with on this topic try to summarize it in a public working document for other people to study?
I suggest to use the Mozilla Wiki for that.
Since we don't agree on all issues and their possible solution(s), it is reasonable to include contributor(s) for each issue. Here are some possible issues: -------------------------------------------------- Issue: That TLS-client-cert-auth sessions and conventional (cookie-or URL-based), web-sessions are two different ways of keeping authenticated sessions alive, contributes to considerable confusion for web-app developers.
Recognizing the problem correctly is a huge step towards solving it. The solution might be an educational one?
-------------------------------------------------- Issue: The browser-vendor-defined certificate selector interface for TLS-client-cert-auth is usually quite different to its counterpart in the cross-browser proprietary signature plugins used in the EU. This (together with other factors) have made equally proprietary authentication plugins a reality for large PKI like used by Swedish banks (5M+). Solution: One solution would be to define signature support as a browser component.
Sounds interesting, lets hear more...
-------------------------------------------------------------------------------------- FF issue: It seems that the AIA ca issuer extension is not supported. This complicates server-setups alternatively requires the end-user to install immediate CA certificates.
Even though I agree and have urged Nelson and others to implement AIA fetching of CA certificates for all products (specially TB is a real pain in this respect), correctly configured servers don't need these to be present in the browser. I think the only thing preventing AIA issuer certificate fetching is a political one (privacy: the CA might know to which site you are browsing as if the CA couldn't know that anyway through OCSP and CRL requests).
-- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: start...@startcom.org Blog: https://blog.startcom.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto