----- Original Message ----- > > On 18/04/2012 05:10, Kyle Hamilton wrote: > > > > > > On Tue, Apr 17, 2012 at 6:57 PM, Eric Covener <cove...@gmail.com> > > wrote: > >>> For these reasons, the paragraph in question is harmful, and I > >>> petition that > >>> it be struck from the documentation. > >> > >> How about something to the effect of "optional and optional_no_ca > >> are > >> useful if you want to validate the certificate yourself, and > >> generate > >> your own friendly error response if there's a problem". > >> > >> Or, I'm totally misunderstandng the point. > > > > "optional" means that you can either accept a certificate from a > > particularly-named CA, or you want to handle the 403 yourself. > > Various browsers (including Safari) will not let you send a > > certificate from a CA which hasn't been named in this circumstance, > > and will provide a blank credential selection dialog with "OK" > > greyed > > out and "Cancel" selected. (This feels like "cancel the connection > > attempt" more than "cancel sending a certificate".) It is related > > specifically to TLS/1.0 inability to legally send a blank > > "acceptable > > CAs" list. > > > > optional_no_ca means that you can accept a certificate from any CA, > > and you want to handle both the situations where there is no > > certificate and where there is a certificate from an untrusted CA > > (both 403) in the application. This is useful where you care more > > about the key than the information directly bound to it. It's also > > useful when you want to accept self-signed client certificates that > > contain multiple credential chains, and handle the additional > > parsing > > overhead in your application. This requires TLS/1.1+. > > > > optional_no_ca is also the only effective means to handle alternate > > credential formats which can survive basic X.509 parsing, which > > again > > requires TLS/1.1+. > > > > -Kyle H > I actually like Kyle's response here - maybe just add it verbatim? > Kyle, if you could reword the "none" (trivial) and "require" in the > same > style, we can completely replace the whole sentence with a more > detailed > explanation.
+1 > Being a user who's looked at client crypto, never really got it > working, > and would love to try again, I'd also be interested in a practical > explanation of how to use "optional_no_ca" to handle the 403 response > - > best if it could be used in a CGI environment - and some more > information (if there is any) on the Safari issue. Reading your > paragraph basically (as a user heeding the domain expert) tells me > "If > you want to support users on Safari, you're going to have to wrack > your > brain for some assbackward solution, or just otherwise give up" > > But I love where this is going. > > Issac i -- Igor Galić Tel: +43 (0) 664 886 22 883 Mail: i.ga...@brainsware.org URL: http://brainsware.org/ GPG: 6880 4155 74BD FD7C B515 2EA5 4B1D 9E08 A097 C9AE --------------------------------------------------------------------- To unsubscribe, e-mail: docs-unsubscr...@httpd.apache.org For additional commands, e-mail: docs-h...@httpd.apache.org
