On Tue, Mar 17, 2009 at 2:51 PM, Anders Rundgren <[email protected]> wrote: > I'm personally unconvinced that client-cert-TLS auth is the way ahead. > HTTP-basic was killed by forms and quite a few schemes out there > including Entrust's use a similar paradigm for PKI which works better with > web servers (sessions). Just doing logout seems to be close to black > magic using client-cert-TLS auth. I don't know at least, and based on > quite a few sites I have tested, I'm not the only moron on the planet :-)
'logout' was designed to be enforced by killing the session on the server, thus forcing the client to have to re-present its certificate. The current implementations of sessions leave a lot to be desired. Especially when trying to resume TLS sessions for multiple pipelines -- which version of the TLS session state gets used when trying to resume the session ID? The version that the client had when it initiated the request? The version that the server had when it received the request? (note the possibility for problems therein, due to TCP delays introduced by congestion and the requirement for retransmission... or IP delays caused by the channel being fully utilized) -Kyle H -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
