Re: [Fed-Talk] Re: Safari prompting for Cert selection
Re: [Fed-Talk] Re: Safari prompting for Cert selection
- Subject: Re: [Fed-Talk] Re: Safari prompting for Cert selection
- From: Timothy J Miller <email@hidden>
- Date: Tue, 8 Jul 2008 16:36:02 -0500
On Jul 4, 2008, at 2:43 PM, Shawn A. Geddis wrote:
Actually it would be nice if Safari had a interface to access
passwords like FireFox does and add the ability to set Certs as well.
There is a fundamental difference between FireFox's Security/PKI
model and that which is leveraged by Safari.
/* Shawn's personal rant on this point follows */
FireFox is a complete stand-a-lone application which requires that
all of its Certs / Trust / Settings be performed within the
application - hence the _need_ to prompt _within_ the application
for Passwords / Certs.
Actually, FF also does auto-selection, it just does it stupidly--it
takes the first cert from the card (usually the ID cert) and attempts
to authenticate. After that, it suffers from the same issues as
Safari if that cert is rejected. And, unlike Safari, FF doesn't
*remember* which cert you used.
Which is why it's easier with FF to set it to "ask every time."
I am a little surprised that so many IT folks who are "Central
Management" focused prefer an application that makes no effort in OS
integration and requires redundant effort to manage.
Actually it doesn't take so much. The cert8.db, key3.db, and
secmod.db are almost completely portable so they can be set on one
system and then copied wherever. The only thing that doesn't port is
the PKCS#11 module definition in secmod.db--and that's only if you
move across architecture or to a platform that installed the module
somewhere different.
If all you're worried about is managing trust, then you only need to
manage cert8.db and that file *is* completely portable, even across
architectures.
-- Tim
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden