Subject changed to properly reflect this ongoing discussion....
On Jul 3, 2008, at 10:49 AM, Boyd Fletcher wrote: I guess what a meant was that there should be a way in Safari to force the ID pref to be set and allow it to be modified. Though the auto prompting is good, if it fails or the user selects the wrong value there needs to be a way to change it without using Key Chain (which is a bit daunting for the average user).
There is. If the user selected the wrong certificate (probably trying each one until one works) when prompted by Safari and that certificate was not accepted either then the user is prompted again, until one selected is accepted by the server. This is all based, of course, on the assumption the server is configured as *required* for Client-Authentication with certificates.
The challenge that most of you are having are with sites that are configured as _optional_ where, right now, a manual configuration of an Identity Preference is required - yes, using Keychain Access.
We are looking at being able to handle the _optional_ case in the future. Actually it would be nice if Safari had a interface to access passwords like FireFox does and add the ability to set Certs as well.
There is a fundamental difference between FireFox's Security/PKI model and that which is leveraged by Safari.
/* Shawn's personal rant on this point follows */
FireFox is a complete stand-a-lone application which requires that all of its Certs / Trust / Settings be performed within the application - hence the _need_ to prompt _within_ the application for Passwords / Certs. This means that even if you already have the Certs / Passwords managed by Mac OS X, you have to duplicate your effort to tell FireFox what to do with the exact same information. Might be nice for Applications like FireFox to integrate with the OS they are running on and take better advantage of the OS Security / PKI services rather than needing to duplicate those same services. I am a little surprised that so many IT folks who are "Central Management" focused prefer an application that makes no effort in OS integration and requires redundant effort to manage. Maintaining good Security is hard enough without duplicating the required efforts. In my opinion, It is very dangerous to be pushing all of the security decision into the application that runs in user space. It is much safer and better practice to rely on the security enforcement of the OS.
Mac OS X provides a System-wide architecture for this which can be set _once_ and safely relied on by ever single application that leverages the corresponding Sec* APIs. Not only that, Applications do not need to attempt to get into the security game and try to do security -- which frequently is one of their last concerns. Safari is relying, as it should, on the Security / Certificate management of the OS. That said, the OS is performing all of the Certificate parsing, chain-of-trust validation, confirming proper key usage, etc.
/* Thus ends Shawn's personal rant on this point :-) */
Now back to our previously scheduled programming...
- Shawn _____________________________________________________ Shawn Geddis Security Consulting Engineer Apple Enterprise
|