Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- Subject: Re: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 04 Jan 2007 22:38:08 -0500
- Thread-topic: [Fed-Talk] Re: Fed-talk Digest, Vol 3, Issue 304
well the folks at Mozilla and Redmond both disagree with you. The safest
thing for the browser to do is prompt for correct certificate.
BTW, even though Firefox is suppose to prompt it doesn't always do it. We
have found that several of our Macs running FF 1.5 or 2.0 refuse to prompt
for the right certificate, regardless of the settings in the program.
it would seem to me that to avoid most of these problems DISA should have
just loaded the identity cert with the extra information a be done with it.
The current approach is getting to be more troublesome than its worth.
boyd
On 1/4/07 2:14 PM, "Timothy J. Miller" <email@hidden> wrote:
> Boyd Fletcher wrote:
>
>> The correct behavior for Safari should be to prompt the user for the correct
>> certificate to use (which is what Firefox does). Since Safari picks the
>> identity certificate by default it can causes problems if the site is using
>> the Email Certificate for the validating the user with OWA (yes, I know they
>> probably should use Identity over Email for that, but.....). So in Apple's
>> attempt to make the browser more usable they in fact make it less usable by
>> restricting the users choices too much.
>
> I strongly disagree. I think in the general case Apple's method is
> better. The basic philosophy behind Apple software is "It should just
> work." That means as near to zero configuration tasks for the user as
> possible.
>
> In this *specific* case this design philosophy runs afoul of some odd
> details of the DoD PKI *and* DoD website PK-enablement. For instance,
> from a basic X.509 point of view, the email and identity certificates
> serve *identical purposes*; both have the same keyUsage bits. Why does
> the DoD PKI have both? Because other software vendors
> (*cough*Microsoft*cough*) require particular X.509 extensions be present
> for certain certificate functions (logon and email signing, in
> particular). The DoD chose (correctly, IMHO) not to pollute the
> identity certificate with these extensions, so the email signing cert
> was created--with the intention that someday the email signing cert
> would be discarded when it was no longer necessary (it may be this day
> never comes, but it's a good goal).
>
> What you have to ask is: how many other PKI deployments use multiple
> certs with identical keyUsage settings? Answer: none that I know about.
> It wouldn't surprise me if you could count them on one hand. In fact,
> many PKI deployments use only *one* key for both signing and encrypting.
>
> However, this facet of the DoD PKI in and of itself doesn't create the
> behavior observed. The other factor is the behavior of the website. If
> the website returned the correct SSL error when the id cert was
> presented but was not acceptable, Safari would correctly prompt the user
> to select the certificate, and then create the proper ID preference in
> the user's keychain. However, many DoD websites choose *not* to cause
> an error at this stage, and instead chose to redirect the browser to a
> custom error page.
>
> So I don't see this as an Apple flaw. In fact, from a usability
> perspective, Safari's behavior is far more reliable than Mozilla or IE
> (particularly IE5, which will present the *encryption* certificate as a
> choice even though it can *never* work for SSL authentication).
>
> -- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden