On Dec 17, 2008, at 2:28 PM, Boyd Fletcher wrote: Thanks Shawn for the update. Some recommended improvements for 10.5.7:
1) If SmartCard is optional for a site, allow the user to set a checkbox in Safari .to always prompt for a certificate 2) Have a checkbox in Safari to not store an ID pref and just to always prompt the user. 3) add wildcard (*) support the ID pref or better yet just assume wildcard behavior by default. wildcard support would allow for domain names like *.us.army.mil and for path portion of the URL (everything after the last /) 4) add a check box to the “Reset Safari” that clears all ID prefs (does not delete the pref, just the associated card). that would be unchecked by default in the list.
boyd
Boyd et. al.,
Always good to hear suggestions...
I cannot emphasize though how important and beneficial to the whole process it is for folks (like yourself) to submit Enhancement Requests, Bugs, Documentation errors, etc. via the Bug Reporter System. You can specific exactly what you want to see, provided associated industry/organizational requirements, track the status of the work, be one of the first in line to test when there is a software change, etc.
Quick feedback on your points:
1) If SmartCard is optional for a site, allow the user to set a checkbox in Safari .to always prompt for a certificate
Yup, been a consideration from the beginning... 2) Have a checkbox in Safari to not store an ID pref and just to always prompt the user.
Hmm... probably not the best user experience...
3) add wildcard (*) support the ID pref or better yet just assume wildcard behavior by default. wildcard support would allow for domain names like *.us.army.mil and for path portion of the URL (everything after the last /)
My response to you on the list back on July 2, 2008:
Date: July 2, 2008 4:30:31 PM PDT Subject: Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
On Jul 2, 2008, at 5:52 PM, Boyd Fletcher wrote: Any chance we can get Apple to allow the use of wildcards in the URL for a site when setting the ID Pref Cert?
for example: https://*.us.army.mil
Keep in mind this can be problematic as well if, within say the US Army, you authenticate with the ID Cert at one site and the Email Signing Cert at another one. If you had a wildcard ID Pref, then it would either mean all sites would be fed the same cert (similar to the problem we are getting away from) or you would also end up with a wild card ID Pref and an ID Pref for each site *not* using the same cert as selected in the wild card definition. It is an issue we are well aware of and are addressing moving forward.
4) add a check box to the “Reset Safari” that clears all ID prefs (does not delete the pref, just the associated card). that would be unchecked by default in the list.
The unfortunate part of this one "(does not delete the pref, just the associated card)" would cause a failure to connect every time from that point on. You would need to either delete the the ID Pref or update it with a valid mapping.
- Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise
|