[115040] in cryptography@c2.net mail archive
Re: Fixing SSL (was Re: Dutch Transport Card Broken)
daemon@ATHENA.MIT.EDU (Philipp =?iso-8859-1?q?G=FChring?=)
Wed Feb 13 12:39:51 2008
From: Philipp =?iso-8859-1?q?G=FChring?= <pg@futureware.at>
To: cryptography@metzdowd.com
Date: Mon, 11 Feb 2008 14:28:30 +0100
In-Reply-To: <20080210042113.GH18453@np305c2n2.ms.com>
X-MDaemon-Deliver-To: cryptography@metzdowd.com
Hi,
> Microsoft broke this in IE7... It is no longer possible to generate and
> enroll a client cert from a CA not on the trusted root list. So private
> label CAs can no longer enroll client certs. We have requested a fix,
> so this may come in the future, but the damage is already done...
>
> Also the IE7 browser APIs for this are completely different and rather
> minimally documented. The interfaces are not portable between browsers,
> ... It's a mess.
I can fully confirm this.
Microsoft claimed that they had to rewrite the API to make it more secure, =
but=20
I only found one small security-relevant weakness that they fixed, the othe=
rs=20
are still there. (And even that fix wouldn=B4t have justified a rewrite of =
the=20
API for websites. They could have kept the frontend-API compatible in my=20
opinion.)
I had the feeling that Microsoft wants to abandon the usage of client=20
certificates completely, and move the people to CardSpace instead.
But how do you sign your emails with CardSpace? CardSpace only does the=20
realtime authentication part of the market ...
If anyone needs more information how to upgrade your Web-based CA for IE7:
http://wiki.cacert.org/wiki/IE7VistaSource
Best regards,
Philipp G=FChring
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
