Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- From: "J. Keith Putnam" <email@hidden>
- Date: Wed, 03 Jan 2007 13:51:19 -0600
- Thread-topic: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
I have attempted to delete "identity preference"s. I assume that is meant to
be password items in the "login" keychain. There were none associated with
the two sites in question.
On 1/3/07 1:14 PM, "Timothy J. Miller" <email@hidden> wrote:
> J. Keith Putnam wrote:
>
>> You do not have access to this page based on the certificate you have
>> chosen. If you are prompted to choose a certificate, be sure to choose the
>> one with YOUR NAME and "Email" in the description. Also, verify that the
>> certificate is not expired. You can do this by clicking on "View
>> Certificate" at the "Choose a Certificate" prompt.
>
>> If anyone has replied to Mark Thibert directly and is willing to share with
>> me, I would appreciate it.
>
> This is the result, from what I've been told, of the server not
> returning an error when the wrong cert is presented to the server. A
> number of DoD sites do this in order to redirect to a custom error page,
> typically containing some CAC-related instructions. This in itself
> isn't a problem, but Safari will not see the credential refusal (no SSL
> error code was returned) and thus will not fall through to the next
> credential (which in the CAC case will be the right one).
>
> A fix for this would be for Safari to *not* auto-select certificates
> when authenticating to websites, but Apple has good usability reasons to
> do so.
>
> In Keychain Access, you should find an identity preference for the site.
> Delete it and hit the site again. If you're prompted with a cert
> selection dialog, select your email signing cert and you *should* be
> good to go.
>
> If you're not prompted, delete the ID preference again. There's a
> AppleScript application floating about somewhere that will allow you to
> set ID preference to the correct cert on a per-URL basis; this will
> allow you to work around this problem. Someone here should have a copy;
> I had it but I can't find it.
>
> -- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden