On Jun 4, 2007, at 3:27 AM, Timothy J. Miller wrote:
Ask any of the service PKI offices, and they'll tell you the same thing: if you're doing PKI authentication, you should accept *both* the email and ID certs for a given user. Failure to do so *will* cause user problems because users will have to select between them and roughly half will get it wrong.
This is a problem even on Windows with IE.
This is an incorrect configuration of the web server. As part of the SSL negotiation the server sends down appropriate certificate authorities for the clients. It's easier to put all the certificate authorities in the configuration instead of just the e-mail CA's. Therefore you end up with a choice for the user, one of which may be unusable. Of course some browsers will ask users which client certificate to use even if there is only one choice that meets the criteria, sometimes in a window behind the browser.
Actually, SSL trust lists are supposed to be a list of *root* CAs, not sets of particular sub-CAs. The fact that some versions of Apache/SSL or mod_ssl allow it is immaterial (and, strictly speaking, a bug). IIS, for instance, enforces this restriction. :)
Well if SSL did, that was a mistake that was fixed in TLS. Which we're all using right ;-).
From the TLS protocol standard:
7.4.4: Certificate request ..... certificate_authorities A list of the distinguished names of acceptable certificate authorities. These distinguished names may specify a desired distinguished name for a root CA or for a subordinate CA; thus, this message can be used both to describe known roots and a desired authorization space.
|