Robert Bihlmeyer wrote:
>
> Michael Str�der <[EMAIL PROTECTED]> writes:
>
> > I usually dislike that every SSL server out there can request my
> > certificate for authentication.
>
> In "Privacy and Security|Certificates" you can select "ask every
> time", and will be prompted which certificate to hand out. Canceling
> the selection sends no cert.
I'd rather like to define that some of my certificates never ever
appear in this select list.
> But this is bothersome, like controlling cookies through the "warn me"
> option.
I agree.
> > Therefore I'd like to see an option in PSM's UI where I can mark a
> > certificate as "e-mail only".
>
> That wouldn't fly if I had two certs for https, one with many
> information (mandated by my bank), and another one with little info.
> Maybe I want to use the first only with bank.example.com, and the
> other for the rest.
For security reasons I'd like to be able to set certificates to "for
e-mail use only". These certs should *never ever* be used for
authentication no matter what else is defined. I'd suggest that the
default is "e-mail use only" if extendedKeyUsage extension does not
explicitly contain 1.3.6.1.5.5.7.3.2 (clientAuth). This would
prevent cert-abuse.
What you described is the next step: Restrict the use auf
authentication certs to certain domains.
Ciao, Michael.
