- From: bergi <bergi@axolotlfarm.org>
- Date: Wed, 29 Jun 2011 00:57:08 +0200
- To: WebID XG <public-xg-webid@w3.org>, Henry Story <henry.story@bblfish.net>, mike.jones@manchester.ac.uk
We talked already about this topic at the teleconf on monday. I've create a small summary: No matter what went wrong durring the authentification process the users should get an understandable error message and if it's possible, the message already contains a solution for the problem. The https protocol allows us to forward errors to the user on to levels: ssl/tls and http. We (the endpoint developers) have complete control over the http error pages, but depend on the browser vendors how errors on the ssl level are shown to the user. The idea was now to ignore most ssl errors and handle them on the http level, at least test endpoints could handle errors in this way. Opinions from the ssl experts? Most of the current WebID endpoint implementations depend on the Apache https implementation. The SSLVerifyClient option allows us to disable the CA verification, but other things like the date verification or the handling of the critical extensions can't be configured after compilation. Should we ask the Apache people if they can make more things configurable? Perhaps the best approach would be improving the handling of the certificate selection and the ssl error message shown by the browser. I've done some tests with expired certificates on my windows machine with Firefox, Chrome, Opera and IE9: Chrome and IE9: Both don't even offer expired certificates in selection dialog (looks like both use the default SSPI dialog). As I couldn't select the expired cert I didn't check how error messages are displayed. Firefox: Firefox marks certificates as expired in the selection dialog but they can be selected and also shows some details about refused ssl connections. But could be even more user-friendly. Opera: Opera allows selection of expired certificates and but doesn't mark them as expired (only the details page shows the begin and end date). The error message just informs that the server was not reachable. The wikipedia article about the the tls alert protocol: http://en.wikipedia.org/wiki/Transport_Layer_Security#Alert_protocol Apache documentation to the SSLVerifyClient option: http://httpd.apache.org/docs/2.2/mod/mod_ssl.html#sslverifyclient The WebID test vocabulary. The pure certificate tests are interesting: https://dvcs.w3.org/hg/WebID/file/55f18239ed1a/tests/earl/test.n3 Henrys tls tests: https://github.com/bblfish/TLS_test
Received on Tuesday, 28 June 2011 22:57:32 UTC