[Fed-Talk] Re: Safari prompting for Cert selection
[Fed-Talk] Re: Safari prompting for Cert selection
- Subject: [Fed-Talk] Re: Safari prompting for Cert selection
- From: "Fletcher, Boyd C. CIV US USJFCOM JFL J9935" <email@hidden>
- Date: Tue, 8 Jul 2008 00:55:49 -0400
- Thread-topic: Safari prompting for Cert selection
Title: Re: Safari prompting for Cert selection
I agree with the O/S integration. but that does NOT mean that Safari can’t provide a more pleasant and less technical user interface to keychain. it certainly can. the method of handling site username/passwords is easier in FF for the user to use. Safari could provide the same capability and with a similar UI but use the keychain as the backend store.
<boyd’s rant>
the current Safari and Mac OS X Smart Card is simply too confusing and troublesome for most users. several our users have reverted back to tiger or have installed Vmware and windows to get working certificates on a Mac. And their patience is running very thin on this issue. the current approach requires users
- know the difference between email and ID certificates
- know the exact URL being used
- know how to use key chain access (not exactly a stellar example of a user friendly UI)
- know how to configure PKI CA certs in key chain access.
a regular user should not be confronted with this.
I cleaner approach that is less frustrating for the user is:
- if you connect to a site and it asks for a certificate, the user is always prompted to select which certificate to use unless “set this certificate as default for this site” is selected. if the wrong certificate is presented the user is requested to select another one (previous “bad” ones are grayed out)
- there should be a simple way to assign a specific certificates to a specific site in Preference settings in Safari (similar to how username/passwords are assigned in FF) this would allow users to fix accidental “sets” from #1 and fix the problem where the site does not correctly prompt for a certificate to be presented.
- there should be a setting in safari to **always** send the user’s certificate (you get to pick which each time) when a user connects to a TLS/SSL encrypted sites (regardless of whether or not the sites request a client cert).
</boyd’s rant>
On 7/4/08 3:43 PM, "Shawn Geddis" <email@hidden> wrote:
Subject changed to properly reflect this ongoing discussion....
On Jul 3, 2008, at 10:49 AM, Boyd Fletcher wrote:
I guess what a meant was that there should be a way in Safari to force the ID pref to be set and allow it to be modified. Though the auto prompting is good, if it fails or the user selects the wrong value there needs to be a way to change it without using Key Chain (which is a bit daunting for the average user).
There is. If the user selected the wrong certificate (probably trying each one until one works) when prompted by Safari and that certificate was not accepted either then the user is prompted again, until one selected is accepted by the server. This is all based, of course, on the assumption the server is configured as *required* for Client-Authentication with certificates.
The challenge that most of you are having are with sites that are configured as _optional_ where, right now, a manual configuration of an Identity Preference is required - yes, using Keychain Access.
We are looking at being able to handle the _optional_ case in the future.
Actually it would be nice if Safari had a interface to access passwords like FireFox does and add the ability to set Certs as well.
There is a fundamental difference between FireFox's Security/PKI model and that which is leveraged by Safari.
/* Shawn's personal rant on this point follows */
FireFox is a complete stand-a-lone application which requires that all of its Certs / Trust / Settings be performed within the application - hence the _need_ to prompt _within_ the application for Passwords / Certs. This means that even if you already have the Certs / Passwords managed by Mac OS X, you have to duplicate your effort to tell FireFox what to do with the exact same information. Might be nice for Applications like FireFox to integrate with the OS they are running on and take better advantage of the OS Security / PKI services rather than needing to duplicate those same services. I am a little surprised that so many IT folks who are "Central Management" focused prefer an application that makes no effort in OS integration and requires redundant effort to manage. Maintaining good Security is hard enough without duplicating the required efforts. In my opinion, It is very dangerous to be pushing all of the security decision into the application that runs in user space. It is much safer and better practice to rely on the security enforcement of the OS.
Mac OS X provides a System-wide architecture for this which can be set _once_ and safely relied on by ever single application that leverages the corresponding Sec* APIs. Not only that, Applications do not need to attempt to get into the security game and try to do security -- which frequently is one of their last concerns. Safari is relying, as it should, on the Security / Certificate management of the OS. That said, the OS is performing all of the Certificate parsing, chain-of-trust validation, confirming proper key usage, etc.
/* Thus ends Shawn's personal rant on this point :-) */
Now back to our previously scheduled programming...
- Shawn
_____________________________________________________
Shawn Geddis Security Consulting Engineer Apple Enterprise
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden