Re: [Fed-Talk] Forcing Safari to use Email Cert
Re: [Fed-Talk] Forcing Safari to use Email Cert
- Subject: Re: [Fed-Talk] Forcing Safari to use Email Cert
- From: Boyd Fletcher <email@hidden>
- Date: Wed, 14 May 2008 08:41:59 -0400
- Thread-topic: [Fed-Talk] Forcing Safari to use Email Cert
Title: Re: [Fed-Talk] Forcing Safari to use Email Cert
thanks Richard. Although I would caution against the CA approach, its simply not reliable and IMHO not worth the engineering dollars to implement. The users have spoken I think fairly definitively on the topic and have said that they want to be prompted for which certificate to use.
boyd
On 5/13/08 7:07 PM, "Richard Murphy" <email@hidden> wrote:
We're aware of this problem and we're working on it. As has been
mentioned on the list we're a bit confounded by servers that redirect
in a "friendly" fashion to an informational page rather than sending
back an error code or dropping the connection. Leopard added the
"identity preferences" capability in keychains to allow you to say
"use this identity". Tiger and previous took a "grab the first
identity and use it" approach.
Leopard limitations (Safari was re-architecting) made us hold back on
some other changes. Making these sorts of fixes requires coordination
with the owners of Safari, Webkit, Foundation, CFNetwork, as well as
my group. We're working with them to get the client side cert
technology working better for our users.
Some servers even include hints for the proper identity to use to
answer the authentication challenge, by sending a list of allowable
CAs. We're looking at hooking that up through the layers of
software. That's in the current plan. I can't give you a timeframe -
they won't let me ;)
>>> so the users get screwed because a bunch of s/w engineers want to
>>> be idealists.
..... Our job is to try to keep your information confidential. That
requires adhering to algorithms, standards and policies for data
access. A security group is often called out as being "idealist",
because we frequently get the job of saying, "No, that's not right,
you can't have that.". In the past we've bent to the "industry norm"
only to follow up by retracing our steps to the original strict
adherence to standards when a CERT advisory was issued showing how the
relaxed implementation allowed certain threats. Because of that we're
pretty cautious to relax our implementation "just this once".
We do appreciate the feedback. We learn a lot from the government
installations since you have configurations beyond anything we can put
together. It all is considered and we try to figure out ways to make
things secure and easy to use.
- murf
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden