Client Certificate UI for Chrome?
Peter Gutmann
pgut001 at cs.auckland.ac.nz
Tue Aug 18 19:22:13 EDT 2009
"James A. Donald" <jamesd at echeque.com> writes:
>I cannot see how you could create a bank web page without a web application
>framework (counting mod-php as a very primitive web application framework)
>and scripting and a database, which scripting and database has to know who it
>is is that logged in
We really are talking about completely different things here. The scripting
and whatnot has nothing to do with TLS or TLS auth mechanisms. The only thing
you need to care about (if you really want to go this way) is channel binding.
>The information about which user, which database primary key is logged in,
>has to be passed up through one layer after another and from one process to
>another.
Yeah, and that's what channel binding is for.
>The plumbing really is that complicated.
Only if you deliberately choose to make it so. Read the RFCs I mentioned
earlier.
>Because keep-alive usually fails for plumbing reasons, standard TLS usually
>does the PKI-based non-authentication dance every page, resulting in
>additional round trips, resulting in painfully bad performance for SSL web
>sites
But TLS doesn't work like that. If it did, you'd get a cert popup every time
you clicked on a link on a TLS-protected web site. Unless you somehow manage
to flush the TLS session cache on the server (which seems unlikely unless
you're DoS'ing it) there's no additional round-trip(s), or additional anything
for that matter.
Peter.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list