Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
- Subject: Re: [Fed-Talk] Problems with Keychain/AF WebMail/CAC Or the endless trials of getting Macs to work with Smartcards
- From: "Timothy J. Miller" <email@hidden>
- Date: Mon, 4 Jun 2007 08:27:28 -0500
On Jun 2, 2007, at 11:04 PM, email@hidden wrote:
Ask any of the service PKI offices, and they'll tell you the same
thing: if you're doing PKI authentication, you should accept
*both* the email and ID certs for a given user. Failure to do so
*will* cause user problems because users will have to select
between them and roughly half will get it wrong.
This is a problem even on Windows with IE.
This is an incorrect configuration of the web server. As part of
the SSL negotiation the server sends down appropriate certificate
authorities for the clients. It's easier to put all the certificate
authorities in the configuration instead of just the e-mail CA's.
Therefore you end up with a choice for the user, one of which may
be unusable. Of course some browsers will ask users which client
certificate to use even if there is only one choice that meets the
criteria, sometimes in a window behind the browser.
Actually, SSL trust lists are supposed to be a list of *root* CAs,
not sets of particular sub-CAs. The fact that some versions of
Apache/SSL or mod_ssl allow it is immaterial (and, strictly speaking,
a bug). IIS, for instance, enforces this restriction. :)
-- Tim
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden