Re: [Fed-Talk] Forcing Safari to use Email Cert
Re: [Fed-Talk] Forcing Safari to use Email Cert
- Subject: Re: [Fed-Talk] Forcing Safari to use Email Cert
- From: Richard Murphy <email@hidden>
- Date: Wed, 14 May 2008 10:11:42 -0700
Billy, caps lock - hit it - once. I'm still working on my first cup
of coffee and my eyes are bleeding. ;) Comments to follow.
On May 14, 2008, at 6:31 AM, Billy Lenox wrote:
On May 14, 2008, at 8:07 AM, Timothy J Miller wrote:
We're aware of this problem and we're working on it. As has been
mentioned on the list we're a bit confounded by servers that
redirect in a "friendly" fashion to an informational page rather
than sending back an error code or dropping the connection.
TIM'S RESPONSE: The general thinking is to aid the user, not the
browser, by directing to a customized 401 or 403 which says,
basically, "use the right cert, dummy!" :)
MY RESPONSE: THE USER NEEDS ALL THE AID THEY CAN GET. ASKING FOR THE
CERTIFICATE IS BETTER THEN GETTING A 401 OR 403 ERROR.
TIM'S RESPONSE: This is predicated on IE behavior, which does not
attempt to do *any* cert selection (unlike Safari and Firefox's
default configuration).
MY RESPONSE: THIS IS BECAUSE INSTEAD OF GIVING A ERROR ASK FIRST
THEN GET A ERROR LATER METHOD. DO NOT GET ME WRONG, SAFARI IS A
GREAT BROWSER BUT IT NEEDS TO BE MORE USER FRIENDLY INSTEAD OF
PICKING FOR YOU.
We can't simply "ask for the identity to use" before going to a site.
We don't know the site requires a client side identity before we go
there. The SSL protocol allows us to figure that out mid-handshake.
In shipping code there isn't a point where we get to pass that
information back to the SecureTransport layer from the CFNetwork
layer. We're looking at fixing that. At that point we can work with
other layers to either allow a choice or automatically pick an
identity - if we have enough information to winnow the results down to
one(1).
Leopard added the "identity preferences" capability in keychains to
allow you to say "use this identity". Tiger and previous took a
"grab the first identity and use it" approach.
TIM'S RESPONSE: Well, there was that little AppleScript floating
around that would set an ID pref on Tiger as well. There just
wasn't a convenient UI in Tiger.
MY RESPONSE: I DON"T HAVE ANY PROBLEMS IN 10.4 BECAUSE I HAD TO
SWITCH TO FIREFOX RIGHT NOW BECAUSE IT DOES ASK FOR CERTIFICATES AND
IT WORKS GREAT ON THE SITES I HAVE TO GET TO.
APPLE JUST NEEDS TO FIX IT THE SAME WAY IN SAFARI AND THEN I CAN
SWITCH BACK TO SAFARI.
Um no. We don't need to "fix it the same way". We need to fix it.
If you still prefer the way Firefox does it, then stay with Firefox.
Leopard limitations (Safari was re-architecting) made us hold back
on some other changes. Making these sorts of fixes requires
coordination with the owners of Safari, Webkit, Foundation,
CFNetwork, as well as my group. We're working with them to get the
client side cert technology working better for our users.
TIM'S RESPONSE: Dan's last suggestion--moving the ID pref UI out of
Keychain and into Safari--is a good one, IMHO. Should a bug be
filed for this or is there another feature request submission path
you'd prefer?
MY RESPONSE: IS TO LEAVE IT IN KEYCHAINS. IT IS NOT GOOD TO HAVE TO
LOAD CERTIFICATES INTO A BROWSER. KEYCHAINS WAS MADE TO KEEP IT ALL
IN ONE PLACE AND IT CAN BE USED BY ALL
APPLICATIONS I DON'T NEED 5 BROWSERS WITH 5 COPIES OF THE SAME CERTS.
I don't think Tim is suggesting moving the cert store to being
implemented with Safari. Keychains are a subsystem in Mac OS.
Keychain Access is an app to manage Keychain information. As Tim
suggests, we can put some of the management UI into Safari closer to
where it's actually used. That's actually our thoughts for future
interfaces as well.
Some servers even include hints for the proper identity to use to
answer the authentication challenge, by sending a list of allowable
CAs.
TIM'S RESPONSE: Kinda sorta. See my previous re: SSL/TLS
Certificate Request messages. AFAIK you can only rely on Apache to
send you *just* the trust list, but IIS will send you a *bunch* of
roots that won't actually work. And with proxies (in both
directions!) I don't think you can rely on Server headers to tell
you which is which.
MY RESPONSE: IF THIS IS TRUE SOMEONE NEEDS TO LET THE MICROSOFT
WEENIES KNOW HOW TO FIX THIS PROBLEM. 99.999% OF THE SERVERS ON THE
ARMED FORCES BASES ARE RUNNING WINDOWS AND THEY ARE TIED BACK TO
ACTIVE DIRECTORY USING YOUR EMAIL CERTIFICATE TO VERIFY THE USER.
We'll only be able to use the hint to automatically select an identity
if it helps us resolve the identity choices to 1. If it doesn't we'll
need UI to offer all the identities that can be used based on the
hint. This assumes the server at least includes a hint that is useful
in the authentication sequence :)
- murf
Attachment:
smime.p7s
Description: S/MIME cryptographic signature
_______________________________________________
Do not post admin requests to the list. They will be ignored.
Fed-talk mailing list (email@hidden)
Help/Unsubscribe/Update your Subscription:
This email sent to email@hidden