Due to the difficulties getting the implementations right (which IMO probably [also] is due to a "impedance mismatch" between the needs of TLS and web-server apps), a large percentage of client-cert using web apps have turned to other PKI-auth-solutions that have identical session characteristics as password-using apps. I think this is fair, not to mention that the GUIs look MUCH better. Such solutions also work flawlessly with [server-side-only] TLS accelerators.
Saving TLS-client-cert-auth (why?) in browsers MUST start now, otherwise it will most certainly slowly fade away. Anders ----- Original Message ----- From: "Kyle Hamilton" <[email protected]> To: "mozilla's crypto code discussion list" <[email protected]> Sent: Tuesday, March 17, 2009 22:59 Subject: Re: client certificates unusable? On Tue, Mar 17, 2009 at 2:51 PM, Anders Rundgren <[email protected]> wrote: > I'm personally unconvinced that client-cert-TLS auth is the way ahead. > HTTP-basic was killed by forms and quite a few schemes out there > including Entrust's use a similar paradigm for PKI which works better with > web servers (sessions). Just doing logout seems to be close to black > magic using client-cert-TLS auth. I don't know at least, and based on > quite a few sites I have tested, I'm not the only moron on the planet :-) 'logout' was designed to be enforced by killing the session on the server, thus forcing the client to have to re-present its certificate. The current implementations of sessions leave a lot to be desired. Especially when trying to resume TLS sessions for multiple pipelines -- which version of the TLS session state gets used when trying to resume the session ID? The version that the client had when it initiated the request? The version that the server had when it received the request? (note the possibility for problems therein, due to TCP delays introduced by congestion and the requirement for retransmission... or IP delays caused by the channel being fully utilized) -Kyle H -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
