Henrik Gemal wrote:
How does Mozilla select certificates to show to a webserver when the server asks for a certificate?
The web server firstsends Mozilla a list of valid CA certificates from which it will accept client cert.
Mozilla then looks through the available client certs. The most common case is there is zero or one match, so the automatic choice is easy. If there is more than one, I believe Mozilla will pick the most recently issued certificate. You can however force Mozilla to prompt you by setting Edit/Preferences/Privacy & Security/Certificate/Ask every time .
If a spammer set up a cert login site I would automaticly show me the cert?
Yes, but only if they first knew who issued your certificate, as the spammer's SSL web server would need to present the correct issuer CA certificate for this to work. Also, note that "presenting your certificate" to a spammer does not accomplish anything more than authenticating you as the owner of the certificate. The spammer knows who you are at that point based on the certificate, however he cannot replay the authentication, because he doesn't have the private key.
