I am currently investigating using client certificates for authentication and am noticing the following behaviours in relation to private key protection of a certificate: Netscape: - Private keys are all protected by a single password. This makes requiring certs on a website that may be accessed from a public lab impractical. Internet Explorer: - When I exported a cert generated by Netscape into IE and brought up a cert requiring site, there are NO passwords/passphrases involved in protecting the private key. Does anyone else have any views or experience with user certificates in a browser that I am missing something about getting these browsers to protect private keys? What reading I have done points that this is Netscape's actual behaviour, but I am surprised by IE's lack of protection on the private keys. I am going to investigate to see if generating a cert on the server side with a passphrase changes behaviour (the export/import process may have altered the private key's abilities), but I'm not betting on it. Is anyone developing a list of client behaviours when it comes to using certificates to authenticate and/or the current pitfalls of actually relying on this technology? It seems from what small experimentation I have been able to do that the browsers are not at all up to snuff in regards to utilizing certs to replace user/pass. Thanks for any input, -= John Douglass ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
