Fixing SSL (was Re: Dutch Transport Card Broken)

[Victor Duchovni]

On Sat, Feb 09, 2008 at 05:04:28PM -0800, David Wagner wrote:

> By the way, it seems like one thing that might help with client certs
> is if they were treated a bit like cookies.  Today, a website can set
> a cookie in your browser, and that cookie will be returned every time
> you later visit that website.  This all happens automatically.  Imagine
> if a website could instruct your browser to transparently generate a
> public/private keypair for use with that website only and send the
> public key to that website.  Then, any time that the user returns to
> that website, the browser would automatically use that private key to
> authenticate itself.  For instance, boa.com might instruct my browser
> to create one private key for use with *.boa.com; later,
> citibank.com could instruct my browser to create a private key for
> use with *.citibank.com.

Microsoft broke this in IE7... It is no longer possible to generate and
enroll a client cert from a CA not on the trusted root list. So private
label CAs can no longer enroll client certs. We have requested a fix,
so this may come in the future, but the damage is already done...

Also the IE7 browser APIs for this are completely different and rather
minimally documented. The interfaces are not portable between browsers,
... It's a mess.

-- 

 /"\ ASCII RIBBON                  NOTICE: If received in error,
 \ / CAMPAIGN     Victor Duchovni  please destroy and notify
  X AGAINST       IT Security,     sender. Sender does not waive
 / \ HTML MAIL    Morgan Stanley   confidentiality or privilege,
                                   and use is prohibited.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com