> On Dec 28, 2018, at 3:55 PM, Brian Campbell
> <bcampbell=40pingidentity....@dmarc.ietf.org> wrote:
>
> I spent some time this holiday season futzing around with a few different
> browsers to see what kind of UI, if any, they present to the user when seeing
> different variations of the server requesting a client certificate during the
> handshake.
>
> In a non-exhaustive and unscientific look at the browsers I had easily at my
> disposal (FF, Chrome, and Safari on Mac OS), it seems they all behave
> basically the same. If the browser is configured with, or has access to, one
> or more client certificates that match the criteria of the CertificateRequest
> message from the server (basically if issued by one of the CAs in the
> certificate_authorities of the CertificateRequest), a certificate selection
> UI prompt will be presented to the user. Otherwise, a certificate selection
> UI prompt is not presented all. When the CertificateRequest message has an
> empty certificate_authorities list (likely the case with a optional_no_ca
> type config), the browsers look for client certificates with any issuer
> rather than narrowing it down.
Was your testing via XHR/fetch?
FWIW,
Firefox behavior is determined by a global pick automatically / prompt every
time flag. Details at https://wiki.mozilla.org/PSM:CertPrompt
<https://wiki.mozilla.org/PSM:CertPrompt>
Safari on macOS relies on the keychain, where a record is created called an
Identity Preference. This is a URL (https or email) to preferred certificate
mapping. Previously, it would create this record the first time a user selected
a certificate, then never prompt again.
Chrome seems to delegate to the underlying OS for certificate management, so on
the Mac it has this behavior as well. This means however that other platforms
may have different behaviors.
Safari on iOS used to automatically select a single certificate match, if the
query was for a single client CA. I didn’t try with other small numbers (2, 3,
etc) but when exposing the list of all available CAs as valid client CAs, it
would prompt. This may not be the heuristic anymore, as knowing the name of a
client CA (such one issued as part of a cloud EMM deployment) would allow
certificates to be used for tracking.
IE (pre-edge) would allow the behavior to use an automatic cert or prompt to be
configured per-zone, which would allow policy to send a device/user
identification certificate to a particular set of sites by default. I have no
experience with configuring Edge, unfortunately.
-DW
_______________________________________________
OAuth mailing list
OAuth@ietf.org
https://www.ietf.org/mailman/listinfo/oauth
