Mark Sirota wrote:
--On November 17, 2005 11:05:31 AM -0600 "Douglas E. Engert"
<[EMAIL PROTECTED]> wrote:
There is browser support! Along with the UMich Kx509 that works with
the IE there is the kpkcs11 for all the others browsers. This implements
a PKCS11 Security device plugin, and it works on Unix or Windows with
Netscape, Mozilla or any other browser that can use smatcards
via a PKCS11 plugin. It should also work on a Mac too.
Might be worth looking into again. Our last investigation (probably two
years ago) showed that while IE pretended to support this, it did goofy
things -- if the server advertised the capability, the browser would ask
the user which certificate to present, even if the user had zero
certificates
in their cache. Support for this would have been nightmarish. Safari
worked, kinda, but required some goofy hackery. I don't remember the rest
off the top of my head.
Yes there are issues. One main on is user perception that to a web server
they are anonymous unless they login. They don't expect to get logged in
automatically. This has implications that they can not have someone else
use their workstation for some web access, as their workstation can now
represent them in situations they had not expected.
There are some Windows settings to control the behavior when the user
needs to present a certificate. Kx509 can set one of these with the
"Silently select certificate" option from the right click of the taskbar
icon.
Its not perfect.
Mark
--
Douglas E. Engert <[EMAIL PROTECTED]>
Argonne National Laboratory
9700 South Cass Avenue
Argonne, Illinois 60439
(630) 252-5444
________________________________________________
Kerberos mailing list [email protected]
https://mailman.mit.edu/mailman/listinfo/kerberos
