Julien Pierre wrote:
> Jean-Marc, > > Jean-Marc Desperrier wrote: > >> For more advanced usage of client authentification, it can happen that >> you own several certs representing several "identities" that you may >> wish to wish concurently to connect to the server, or to change >> without having to close the browser.
Yeah, the latest version of IE 6.0 has a new button in the Certificates portion of the Contents tab in the Internet Options control panel. The new button says "Clear SSL State". Their context-dependent help says it wipes out the SSL cache. Presumably this is so that you can choose a different identity.
>> But probably support for that only requires change at the PSM level. >> I wonder if PSM would in it's current state support concurent access >> to the same site with a different user certificate.
NSS permits an application to have multiple concurrent SSL sessions with the same peer, each session having different authentication. It's accomplished with the SSL_SetSockPeerID function.
But once you had multiple sessions, it's not clear to me how PSM would figure out which of them to use for a new SSL connection. It's also not clear to me that an ordinary user could keep it straight.
> In order to login again to the same server with a new identity, you > would need to invalidate the SSL session.
That's not required by NSS, nor by the SSL/TLS specs. Maybe you're saying that PSM currently requires this.
> Normally, the session is valid > for 24 hours. If you don't want to wait that long, you can either > restart the browser or the server, which will also invalidate it ;-) > > NSS does provide you with the ability to connect to a server without > re-using an existing SSL session. Nothing in PSM tries to do this, to my > knowledge. And it's pretty hard to envision what that would look like, > from a user interface point of view. > > The best way would be if the server provided a logout page, which would > invalidate the SSL session in the server, and thus force your browser to > do another full handshake the next time around, and allow you to select > another identity.
Maybe each browser window could display in its status bar the nickname of the user cert used to authenticate in that window?
-- Nelson B _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
