MozillaWiki

PSM:CertPrompt

Revision as of 00:00, 6 January 2006 by Relyea (talk | contribs)
(diff) ← Older revision | Latest revision (diff) | Newer revision → (diff)

Trying to handle automatic certificate selection is difficult. Currently both IE and PSM products have fairly noticeable corner cases. This page is meant to document how PSM currently and what kinds of problems it generates in deployments.

Current Interactions

IE Current Usage

After restarting IE, it will always prompt for a certificate, even if no certificate is valid. ?IE lists all the user certificates without reguard to the certificate list presented to it?. Once IE has a cert selected for the site (or the user as selected no certificate for the site), IE will always use that certificate (or lack of certificate) for that site. The only way to change that is to use the button to clear IE's SSL cert cache. IE will prompt the user even if there is no valid certificate available.

PSM Current Usage

PSM has 2 modes in certificate selection: 1) ask every time. 2) select automatically.

SSL sends a list of CA certificates that are acceptable for Client Authentication. Most HTTP servers build this list automatically whenever that server has CA Certificates which are configured to validate user certificates.

If select automatically is set, PSM will find all the unexpired user certificates, and filter out those certificates which do not chain to one of the certs in the CA list. The first cert in the list for which the user has a valid private key is selected. If no certs survive the sort, no certificate is sent.

If 'ask every time' is set, PSM will find all the user certs (expired and unexpired), and filter that list for certs in the CA list. If no certs are found, then no certificate is sent and the user is not prompted. If any certificates are found (even just one), the user is prompted to select a certificate. The user has to option of selecting no certificate, in which case no certificate is sent.

Note that PSM goes through this everytime a full SSL handshake with request or require client auth is sent.

Server Action on When NoCertificate

If the requested certificate is not present, and the server did an SSL require certificate, the connection will fail. If the requested certificate is not present and the server did a 'request but not require certificate', the SSL connection will complete and the server CGI's will be presented with and empty certificate.

Client Authentication Scenarios

Basic Client Authentication: The client has exactly one certificate installed that matches with the CA list sent to the user.

This is the base scenario that all the software has been designed for initially. Currently in PSM, 'select automatically' will present the one valid certificate to the server automatically. 'Ask every time' will present a dialog with the single certificate when you first connect. Future connections will only prompt if the ssl session id is cleared (either in the server or in the client). In IE the user will be prompted to supply the single valid certificate. IE will always use that certificate to authenticate.

Client Authentication with no Certificate: The client has not client auth certificates.

This is the 'common' case of a user trying to go to a site that uses client authentication. In the current PSM case, both 'select automatically' and 'Ask every time' will present no certificate without any user intervention. If the server required client authentication, a connection error will be presented. If the server only requested client auth, the SSL connection completes and the server can present either an appropriate error, or request some sort of alternate authentication. PSM will not check for the existance of a new certificate as long as the ssl session id is valid (which it typically will remain unless the server invalidates it's copy). EI will always present an empty dialog. Once the user clicks 'cancel', EI will always present no certificate to the server, even if a new certificate appears and the server invalidates the ssl session.

$SmartCard Client Authenticate: The same as basic authentication except the one certificate lives in a $smartCard that can be removed.

If the $smartCard is present, any initial connection will operate just like "Basic Client Authentication" above. If the $smartCard is removed, then PSM will invalidate the ssl session, so future ssl connections will operate as if the $smartCard is not present. In addition PSM can send a smartcard removal event to the webpage, which can be handled in javascript to reload the page. This allows automatic logout symantics. For IE, $smartCard removal will not trigger any session cache invalidation, or change IE's cached notion of what certificate to use.

If the $smartCard is not present, the initial connection will operate just like "Client Authentication with no Certificate" above. If the $smartCard is later inserted, PSM can send a smartcard insertion event to the webpage. In this case the server will have to invalidate the session cache as PSM does not yet provide a way to do it. If the session cache is invalidated and the page redrawn, PSM will operate again like "Basic Client Authentication". In the IE case, a later $smartCard insertion will not trigger any new redraw, and the user will have to manually clear the ssl session cache and redraw the page.

Retrieved from "https://wiki.allizom.org/index.php?title=PSM:CertPrompt&oldid=16014"