[FoRK] DNT: another example of "you can't make this shit up"

Gregory Alan Bolcer greg at bolcer.org
Mon Oct 15 11:02:07 PDT 2012

On 10/15/2012 10:43 AM, Stephen Williams wrote:
> What doesn't work correctly with client-side certificates?

1) They are domain specific and not path certificate based on content 
inside them

2) Browsers pick the first certificate in their store that matches the 
domain, though there could be infinite paths, thus infinite certificates 
with the same domain inside the store

3) Browsers, even if it has the right domain, doesn't check the timeout date

4) PKI is not dynamic

5) Browsers don't and can't dynamically incorporate a new certificate 
while in the middle of an SSL negotiation process

So, it doesn't work for dynamic nor micro-access.


> I've used both soft and hard certificates with browsers, SSH, etc. Other
> than the proprietary driver fiasco for hard certificate access, it
> works.  Except for the problems with PKI itself.
>> Gawd, that would be really cool.
>> Greg
>> On 10/15/2012 10:25 AM, Damien Morton wrote:
>>> On Thu, Oct 11, 2012 at 5:41 PM, Stephen D. Williams <sdw at lig.net>
>>> wrote:
>>>> We need something like cookies, at least some of the time.
>>> Oh yeah - when do "we" need cookies?
>>> What does a user do with a cookie? Nothing, they don't even see them.
>>> If you have a way of presenting something like a BrowserID - a crypto
>>> mashup of username/password/domain - any state can be stored server-side
> sdw
> _______________________________________________
> FoRK mailing list
> http://xent.com/mailman/listinfo/fork

greg at bolcer.org, http://bolcer.org, c: +1.714.928.5476

More information about the FoRK mailing list