Nelson B Bolyard wrote: <snip>
A server that logs you out and doesn't clear your TLS session from its server session cache is a badly designed server. That's not a fundamental flaw in TLS or in browsers, and could also happen with cookies or any other scheme for caching session information. So don't blame TLS or browsers for a bad server implementation. You won't earn any respect here when you do so.
As a developer you may be slightly less interested in who or what to blame, you just note that "it doesn't work". As a technologist in this space, I see a lack of interaction between the different technology owners. AFAIK the widely used Java Servlet specification does not support any concept like TLS session logout, only session cookie invalidation. Anyway, this has also nourished banks and governments to invest big-time in app-level TLS client-cert-authentication. Microsoft added a "kludge". I looks strange, puts the onus in wrong place, but it sort of works at least. Due to the situation just mentioned, I have a feeling that a kludge is all we can hope for. We might even end-up with nothing... Anders -- dev-tech-crypto mailing list [email protected] https://lists.mozilla.org/listinfo/dev-tech-crypto
