[FoRK] DNT: another example of "you can't make this shit up"
Gregory Alan Bolcer
greg at bolcer.org
Mon Oct 15 11:02:07 PDT 2012
On 10/15/2012 10:43 AM, Stephen Williams wrote:
> What doesn't work correctly with client-side certificates?
1) They are domain specific and not path certificate based on content
2) Browsers pick the first certificate in their store that matches the
domain, though there could be infinite paths, thus infinite certificates
with the same domain inside the store
3) Browsers, even if it has the right domain, doesn't check the timeout date
4) PKI is not dynamic
5) Browsers don't and can't dynamically incorporate a new certificate
while in the middle of an SSL negotiation process
So, it doesn't work for dynamic nor micro-access.
> I've used both soft and hard certificates with browsers, SSH, etc. Other
> than the proprietary driver fiasco for hard certificate access, it
> works. Except for the problems with PKI itself.
>> Gawd, that would be really cool.
>> On 10/15/2012 10:25 AM, Damien Morton wrote:
>>> On Thu, Oct 11, 2012 at 5:41 PM, Stephen D. Williams <sdw at lig.net>
>>>> We need something like cookies, at least some of the time.
>>> Oh yeah - when do "we" need cookies?
>>> What does a user do with a cookie? Nothing, they don't even see them.
>>> If you have a way of presenting something like a BrowserID - a crypto
>>> mashup of username/password/domain - any state can be stored server-side
> FoRK mailing list
greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476
More information about the FoRK