Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 04 Jan 2007 10:04:35 -0500
- Thread-topic: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
On 1/3/07 2:14 PM, "Timothy J. Miller" <email@hidden> wrote:
> This is the result, from what I've been told, of the server not
> returning an error when the wrong cert is presented to the server. A
> number of DoD sites do this in order to redirect to a custom error page,
> typically containing some CAC-related instructions. This in itself
> isn't a problem, but Safari will not see the credential refusal (no SSL
> error code was returned) and thus will not fall through to the next
> credential (which in the CAC case will be the right one).
>
> A fix for this would be for Safari to *not* auto-select certificates
> when authenticating to websites, but Apple has good usability reasons to
> do so.
The correct behavior for Safari should be to prompt the user for the correct
certificate to use (which is what Firefox does). Since Safari picks the
identity certificate by default it can causes problems if the site is using
the Email Certificate for the validating the user with OWA (yes, I know they
probably should use Identity over Email for that, but.....). So in Apple's
attempt to make the browser more usable they in fact make it less usable by
restricting the users choices too much.
>
> In Keychain Access, you should find an identity preference for the site.
> Delete it and hit the site again. If you're prompted with a cert
> selection dialog, select your email signing cert and you *should* be
> good to go.
>
> If you're not prompted, delete the ID preference again. There's a
> AppleScript application floating about somewhere that will allow you to
> set ID preference to the correct cert on a per-URL basis; this will
> allow you to work around this problem. Someone here should have a copy;
> I had it but I can't find it.
>
> -- Tim
> _______________________________________________
> Do not post admin requests to the list. They will be ignored.
> Fed-talk mailing list (email@hidden)
> Help/Unsubscribe/Update your Subscription:
>
> This email sent to email@hidden
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden