- From: Peter Williams <home_pw@msn.com>
- Date: Wed, 6 Apr 2011 08:58:36 -0700
- To: Henry Story <henry.story@bblfish.net>
- CC: WebID XG <public-xg-webid@w3.org>, nathan <nathan@webr3.org>
Using the myxwiki as a test platform, I found something strange: Having used opera to enroll and the export the credentials to a . P12 file 1 I could complete webid using an opera browser on several versions of windows (having imported the .p12) 2 I could do the same with install versions of ie 8 and 9 (after .p12 import). 3 on the same pc as the ie case, my own https client will fail to complete webid - using the same certs as available to ie. (all acls, etc, were addressed). Something in the webservice client/server lib for the x509token validator behavior seems to prevent the cert bring used (even though it supplied as the desired cert at the API). If I guess, it's because the cert from myxwiki is missing the pkix client authn oid. But this is only a guess. I cannot easily tell where the enforcer might be: whether it's clientside or serverside enforced. On Apr 6, 2011, at 8:29 AM, Henry Story <henry.story@bblfish.net> wrote: > > On 6 Apr 2011, at 17:18, Peter Williams wrote: > >> What l learned by trial is that not all browsers use the hints in the ca message of ssl. Others use it, quite literally. Both behaviours are conforming, as the message contains hints (only) by design. Your implementation may cue off the hints, or it may ignore them. Opera ignores. Ie uses. I dont know what safari does. I don't know what 10 browsers in iPhone-like phone browsers do. > > That's what we need a precise description of. Which browsers do, which don't. If enough do it, then it may > be worth working on this. It comes up regularly. > > So I'll add to the issue that it requires working out which browsers this functions on. > >> >> In my https client, I uses a STD dialog of windows, also used by ie I suspect. The dialog allows several selectors, each of which constrain which of the certs in a users personal trust store are shown. (I don't know if this works on a windows phone, though.) Two options are natural (they are the kind of knowhow a security professional would be expected to show, on a certification test): using cert policy oid (as selector), using application policy oid (as selector). >> >> There is another angle: whether any and all (selected) certs should be shown that match, or only those that have the netscape (or better the iso) client usage oid. But this begs yet another question: must that extension be marked critical? If it's not, an implementation is entitled to ignore it's hint. Thus unit test for client tend to be platform specific, unless one is careful. > > The Java libraries I have been working with add the netscape client usage oid. Anyone testing should > try to get an idea of how each browser works currently, taking those into account. The we can see where > we are starting from. > > >
Received on Wednesday, 6 April 2011 16:04:08 UTC