On Fri, September 27, 2013 4:09 pm, Eddy Nigg wrote: > On 09/28/2013 01:59 AM, From Ryan Sleevi: > > If your site requires a client certificate, and you know that a client > > certificate is stored in a smart card, then you also know that when > > using > > Firefox, and the smart card is removed, Firefox will invalidate that > > SSL/TLS session. > > Not really - except in case you require the cert authentication on every > exchange between the client and server. I don't believe that many do > this as it makes it incredible slow and some browser will prompt for the > certificate over an over again.
But Firefox (and Chrome, IE, Safari, and Opera) won't. I'm not sure FIrefox supporting some non-Web Platform feature on the basis that some other browser makes it hard, especially when the number of browsers that support the feature beyond Firefox is 0. > > > When the user removes their smart card, the SSL/TLS session is > > invalidated, and the > > user is 'logged out'. > > Kind of, he'll get the infamous ssl_error_handshake_failure_alert error > that nobody knows what it is, but that's not how such web apps are > usually implemented. They do the client authentication dance once and > continue with a application controlled session. And such webapps could presumably use iframes or XHRs with a background refresh to a login domain, and when such a fetch fail, know the smart card was removed, and thus treat it as the same. All without non-standard features being exposed. -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
