While building the new OpenXPKI Live CD ...
shameless_plugif you are looking for an (open source) enterprise-grade
PKI system, consider OpenXPKI. You can now test development snapshots using
our new Morphix-based live CD./shameless_plug
... I realised that you can do something with Firefox 2.0.x
On Fri, Sep 07, 2007 at 05:00:51PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
However information stated in certificates signed by CAs isn't usually
private and depending on the CA policy even published via directories
and other different channels, so I'm not sure if this could be an
invasion
Alex,
Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting user? If not,
how will the browser know which client certificate to send to
the website during client-auth?
[restricted the Cc's to the mozilla lists]
Arshad,
On Fri, Sep 07, 2007 at 10:04:53AM -0400, Arshad Noor wrote:
Do you presume that the websites in the domains that you intend
to track users will install the self-signed CA certificate that
issued the client-certificate to the unsuspecting
[Cc's restricted to the mozilla lists]
Hi Eddy,
On Fri, Sep 07, 2007 at 07:57:49PM +0300, Eddy Nigg (StartCom Ltd.) wrote:
Granted, if this is a real CA. But if you use it like in my PoC not
for the typical CA scenario, but for user tracking, you could put all
kinds of data in the
See below, Alex.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: Alexander Klink [EMAIL PROTECTED]
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.
My understanding of
Arshad Noor wrote:
My understanding of the TLS protocol is that the browser only sends
the certificates signed by CAs that the server trusts; are you saying
that the protocol allows for asking ANY certificate from the browser
cert-store, regardless of who signed it?
Yes, one can
Arshad Noor wrote:
See below, Alex.
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: Alexander Klink [EMAIL PROTECTED]
The typical user does not have a client authentication certificate,
so after installing one for him, the browser will send that out
to anyone who is asking.
Thanks for the deeper explanation, Bob.
I continue to get a little more educated each day - I am grateful to
all for that. :-)
Arshad Noor
StrongAuth, Inc.
- Original Message -
From: Robert Relyea [EMAIL PROTECTED]
To: Arshad Noor [EMAIL PROTECTED]
Cc: dev-security@lists.mozilla.org,
Arshad Noor wrote:
They would know the CA that issued the particular client certificate and
include it in it's Request/Not require client auth message.
Actually funny that I never thought myself about such an option. But a
competing CA could harvest the email addresses, which are usually
10 matches
Mail list logo
