[2460] in WWW Security List Archive
Default Certificates, was --> Re: Security/Privacy of Certificates in Netscape 3.0
daemon@ATHENA.MIT.EDU (Jason S. Smith)
Thu Jul 18 14:31:09 1996
Date: Thu, 18 Jul 1996 12:19:19 -0400
From: "Jason S. Smith" <jason@mitre.org>
Reply-To: jason@mitre.org
To: jsw@netscape.com, Kathy Bitting <bitting@smiley.mitre.org>,
Lorrayne Schaefer <lorrayne@mitre.org>
Cc: www-security@ns2.rutgers.edu
Errors-To: owner-www-security@ns2.rutgers.edu
Jeff Weinstein wrote:
> Your certificate will only be delivered to a remote site as
> part of an SSL client authentication. It is not accessible to
> Java or JavaScript.
>
> In the current beta, when you connect to a web site with SSL,
> and the site requests client authentication, the user is prompted
> to select a certificate to send, and can cancel the connection
> at this time.
>
Will the capability to select a certificate be available through CCI?
We use a script which manipulates the Netscape browser to periodically
download and save a file from a know URL. When we require client side
auth to the server hosting the URL, the script requires human
interaction to select a certificate to use.
> The final release of 3.0 will have several more options for
> choosing a certificate to send when a site requests client auth.
> The three options are:
>
> 1) always ask user(this is the default) - same as the
> behaviour of the current beta
> 2) automatic selection - The SSL 3.0 protocol allows the
> server to send a list of CAs that it will accept
> user certificates from. When this option is
> enabled, the navigator will try to select one of
> your certificates that the server will accept.
> 3) send a user specified cert - This option allows the
> user to select a certificate to send by default.
Good, we really need default certificates.
If I configure a browser to use a default certificate, and control the
browser through CCI, I assume that a script will be able to make
authenticated requests using the default certificate. Is this a valid
assumption?
Will 2 and 3 be combined? Can I specify a default certificate, but have
the browser automatically select a different certificate when a server
requests a certificate which is not my default?
Jason Smith
The MITRE Corporation
(703) 883-6219
jason@mitre.org
