RE: Using client certificates for signing

FYI, we tried this recently, accidentally :)

Microsoft corporate domain joined machines have certificates installed, as you might imagine. One day, doubleclick (I think) "oopsed" something in their syndicated ads, causing the ad content to request client certs. Result: *everyone* visiting ad-sponsored content sites suddenly starts getting cert prompts at random, asking to authorize a cert to authenticate to a news content site for no visible reason, or worse, to select a cert. That was a day of chaos and cranky users.

I have *no* interest in implementing this proposal. Asking users to authorize certificates is a non-starter, users do not understand certificates and should never be asked about them.

-----Original Message-----
From: Mitar [mailto:mmitar@gmail.com] 
Sent: Tuesday, March 1, 2016 12:34 PM
To: Ángel González <angel@16bits.net>
Cc: public-webappsec@w3.org
Subject: Re: Using client certificates for signing

Hi!

On Mon, Feb 29, 2016 at 2:44 PM, Ángel González <angel@16bits.net> wrote:
> The user would need to add your domain to the list of websites allowed 
> to use that certificate. The *.gov.$CC was an example for wildcard 
> support.

OK, but that is then similar to the website prompting the user to use the certificate? You would only want to make it more complicated for the user to do so? So that they have to go to the preferences and do it there? Or  could that list be updated by just approving the dialog box the first time the site wants to use the certificate?

> No. There may be several certificates, each with its own set of 
> permissions.

Yes, in the prompt user would choose which certificate to use with a given site as well.

Firefox already has similar prompt when you access SSL site with client-certificate.


Mitar

--
http://mitar.tnode.com/

https://twitter.com/mitar_m

Received on Tuesday, 1 March 2016 20:55:48 UTC