X.509 Interop

Douglas E. Engert deengert at anl.gov
Thu Nov 17 13:38:26 EST 2005



Mark Sirota wrote:

> --On November 17, 2005 11:05:31 AM -0600 "Douglas E. Engert" 
> <deengert at anl.gov> wrote:
> 
>> There is browser support! Along with the UMich Kx509 that works with
>> the IE  there is the kpkcs11 for all the others browsers. This implements
>> a PKCS11 Security device plugin, and it works on Unix or Windows with
>> Netscape, Mozilla or any other browser that can use smatcards
>> via a PKCS11 plugin. It should also work on a Mac too.
> 
> 
> Might be worth looking into again.  Our last investigation (probably two
> years ago) showed that while IE pretended to support this, it did goofy
> things -- if the server advertised the capability, the browser would ask
> the user which certificate to present, even if the user had zero 
> certificates
> in their cache.  Support for this would have been nightmarish.  Safari
> worked, kinda, but required some goofy hackery.  I don't remember the rest
> off the top of my head.

Yes there are issues. One main on is user perception that to a web server
they are anonymous unless they login. They don't expect to get logged in
automatically. This has implications that they can not have someone else
use their workstation for some web access, as their workstation can now
represent them in situations they had not expected.

There are some Windows settings to control the behavior when the user
needs to present a certificate. Kx509 can set one of these with the
"Silently select certificate" option from the right click of the taskbar
icon.

Its not perfect.

> 
> Mark
> 
> 

-- 

  Douglas E. Engert  <DEEngert at anl.gov>
  Argonne National Laboratory
  9700 South Cass Avenue
  Argonne, Illinois  60439
  (630) 252-5444


More information about the Kerberos mailing list