On Jul 2, 2008, at 5:52 PM, Boyd Fletcher wrote: Any chance we can get Apple to allow the use of wildcards in the URL for a site when setting the ID Pref Cert? for example: https://*.us.army.mil
Keep in mind this can be problematic as well if, within say the US Army, you authenticate with the ID Cert at one site and the Email Signing Cert at another one. If you had a wildcard ID Pref, then it would either mean all sites would be fed the same cert (similar to the problem we are getting away from) or you would also end up with a wild card ID Pref and an ID Pref for each site *not* using the same cert as selected in the wild card definition. It is an issue we are well aware of and are addressing moving forward.
Also, I think it would help a lot if Safari had a GUI hook that would like you set the ID Pref Cert for the current site.
It does! Also, keep in mind the recent changes we made to improve this even more with 10.5.3 & Safari. The issues with this are currently impacted by the way the Server is configured for client-authentication. We are going to try and improve on this even more going forward -- with our never ending desire to improve upon the currently shipping implementations.
Mac OS X 10.5.2 (and earlier) / Safari: • Safari 3 automatically sends the first available client certificate in your keychain • If the first certificate sent to the site was *not* accepted *and* the server acknowledges the failure during the protocol handshake / Authentication (SSL/TLS) then Mac OS X's network services bubble up the failure to Safari which will then display a sheet indicating the failure with a list of
other possible certs to select instead. Once selected, the ID Pref is set.
Safari, Mac OS X 10.5.3: Changes in client certificate authentication
From my previous message on this.... Server Side Configuration Caveat: Safari may not prompt you to select a client certificate if the server you are attempting to authenticate to is configured to *optionally* accept (rather than require) client authentication. Many of the US Federal Government web servers are configured for *optional* rather than *required*, since there is still a transition from User/Pass over to Smart Cards.
System will auto create Identity Preference *IF* Server configured for *required* As noted in the KBase article referenced above, when accessing a website configured as *required*, Safari will prompt the user for the appropriate certificate to use for client authentication, but ONLY if it is configured as *required*.
Manually Creating Identity Preferences -- Server configured for *optional* In this case you can force a particular client certificate to be sent by manually creating an identity preference item for the desired server authentication. Note that it is important to know the correct URL for the actual authentication process which may significantly differ from the standard login URL.
- Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise
|