Kyle Hamilton: > > The idea is to create a session, then at some point ask the client to > authenticate within that session using a private key stored on a > smartcard. The server should cache that session until the user hits > the 'logout' button, which should eliminate the caching of the session > (or at least the credentials associated with the session) on the > server.
Exactly. Obviously the server should also detect stale sessions... > > See, under an OS-integrated smart-card system, as soon as the smart > card is removed everything associated with the private key on the > smart card should be invalidated. (I don't have a smart-card reader > to test this, though I do know that smart-card removal can trigger a > locked screensaver or a full logout on Windows.) However, only > Microsoft has this, and only with IE. That's not correct. We do that with Firefox on any platform for web based applications. We can do that also on OS level on different platforms (Linux, Mac). >> At least in FF 2.x, a PIV user had to *install* the entire cert-path >> in the browser trust store in order to authenticate since stuff like >> AIA ca issuers isn't supported in spite of being mandated in PIV. >> Hopefully this was fixed in FF 3.0 but of course this total misalignment >> has given TLS-client-cert-auth a *well-deserved* bad reputation. BTW, AIA extension is supported by NSS, but not in Firefox...bang your head against a wall...it doesn't help! Why doing it the easy way if it can be done the hard way? It's so much more fun! :-) -- Regards Signer: Eddy Nigg, StartCom Ltd. Jabber: [EMAIL PROTECTED] Blog: https://blog.startcom.org _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
