Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
- Subject: Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
- From: Boyd Fletcher <email@hidden>
- Date: Thu, 03 Jul 2008 11:49:38 -0400
- Thread-topic: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
Title: Re: [Fed-Talk] [Discussion] (2) Card recognized, but I cannot access PKI protected Websites
I guess what a meant was that there should be a way in Safari to force the ID pref to be set and allow it to be modified. Though the auto prompting is good, if it fails or the user selects the wrong value there needs to be a way to change it without using Key Chain (which is a bit daunting for the average user).
Actually it would be nice if Safari had a interface to access passwords like FireFox does and add the ability to set Certs as well.
boyd
On 7/2/08 7:30 PM, "Shawn Geddis" <email@hidden> wrote:
On Jul 2, 2008, at 5:52 PM, Boyd Fletcher wrote:
Any chance we can get Apple to allow the use of wildcards in the URL for a site when setting the ID Pref Cert?
for example: https://*.us.army.mil
That is the desire going forward. Probably even going to https://*.army.mil/
Keep in mind this can be problematic as well if, within say the US Army, you authenticate with the ID Cert at one site and the Email Signing Cert at another one. If you had a wildcard ID Pref, then it would either mean all sites would be fed the same cert (similar to the problem we are getting away from) or you would also end up with a wild card ID Pref and an ID Pref for each site *not* using the same cert as selected in the wild card definition. It is an issue we are well aware of and are addressing moving forward.
Also, I think it would help a lot if Safari had a GUI hook that would like you set the ID Pref Cert for the current site.
It does! Also, keep in mind the recent changes we made to improve this even more with 10.5.3 & Safari. The issues with this are currently impacted by the way the Server is configured for client-authentication. We are going to try and improve on this even more going forward -- with our never ending desire to improve upon the currently shipping implementations.
Mac OS X 10.5.2 (and earlier) / Safari:
• Safari 3 automatically sends the first available client certificate in your keychain
• If the first certificate sent to the site was *not* accepted *and* the server
acknowledges the failure during the protocol handshake / Authentication
(SSL/TLS) then Mac OS X's network services bubble up the failure to
Safari which will then display a sheet indicating the failure with a list of
other possible certs to select instead. Once selected, the ID Pref is set.
Safari, Mac OS X 10.5.3: Changes in client certificate authentication
http://support.apple.com/kb/HT1679
>From my previous message on this....
Server Side Configuration Caveat:
Safari may not prompt you to select a client certificate if the server you are attempting to authenticate to is configured to *optionally* accept (rather than require) client authentication. Many of the US Federal Government web servers are configured for *optional* rather than *required*, since there is still a transition from User/Pass over to Smart Cards.
System will auto create Identity Preference *IF* Server configured for *required*
As noted in the KBase article referenced above, when accessing a website configured as *required*, Safari will prompt the user for the appropriate certificate to use for client authentication, but ONLY if it is configured as *required*.
Manually Creating Identity Preferences -- Server configured for *optional*
In this case you can force a particular client certificate to be sent by manually creating an identity preference item for the desired server authentication. Note that it is important to know the correct URL for the actual authentication process which may significantly differ from the standard login URL.
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden