Fixing SSL (was Re: Dutch Transport Card Broken)

Philipp Gühring pg at futureware.at
Mon Feb 11 08:28:30 EST 2008


Hi,

> Microsoft broke this in IE7... It is no longer possible to generate and
> enroll a client cert from a CA not on the trusted root list. So private
> label CAs can no longer enroll client certs. We have requested a fix,
> so this may come in the future, but the damage is already done...
>
> Also the IE7 browser APIs for this are completely different and rather
> minimally documented. The interfaces are not portable between browsers,
> ... It's a mess.

I can fully confirm this.

Microsoft claimed that they had to rewrite the API to make it more secure, but 
I only found one small security-relevant weakness that they fixed, the others 
are still there. (And even that fix wouldn´t have justified a rewrite of the 
API for websites. They could have kept the frontend-API compatible in my 
opinion.)

I had the feeling that Microsoft wants to abandon the usage of client 
certificates completely, and move the people to CardSpace instead.
But how do you sign your emails with CardSpace? CardSpace only does the 
realtime authentication part of the market ...

If anyone needs more information how to upgrade your Web-based CA for IE7:
http://wiki.cacert.org/wiki/IE7VistaSource

Best regards,
Philipp Gühring

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list