Re: [TLS] HTTPS client-certificate-authentication in browsers

Daniel Kahn Gillmor <> Wed, 27 July 2011 00:28 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id B8A0C11E80BE for <>; Tue, 26 Jul 2011 17:28:32 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -1.98
X-Spam-Status: No, score=-1.98 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_SORBS_WEB=0.619]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id guyNC8Z9Knbz for <>; Tue, 26 Jul 2011 17:28:32 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 422B811E809E for <>; Tue, 26 Jul 2011 17:28:32 -0700 (PDT)
Received: from [] ( []) by (Postfix) with ESMTPSA id 7AB0BF970 for <>; Tue, 26 Jul 2011 20:28:28 -0400 (EDT)
Message-ID: <>
Date: Wed, 27 Jul 2011 02:28:16 +0200
From: Daniel Kahn Gillmor <>
User-Agent: Mozilla/5.0 (X11; U; Linux i686; en-US; rv: Gecko/20110626 Icedove/3.1.11
MIME-Version: 1.0
References: <> <>
In-Reply-To: <>
X-Enigmail-Version: 1.1.2
Content-Type: multipart/signed; micalg=pgp-sha512; protocol="application/pgp-signature"; boundary="------------enig60127966FB3522E428BF2D2B"
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Wed, 27 Jul 2011 00:28:32 -0000

On 07/26/2011 09:54 PM, Anders Rundgren wrote:
> It actually quite hard writing an HTTPS CCA based web app that
> has similar login and session characteristics as one using password
> authentication.

What's so hard about it?  Designate a URL (e.g. that triggers a request for client-side
certificates.  When the user visits that URL with an acceptable
client-side certificate, set a session cookie, and redirect them back to
the page they were coming from.

When the user is not logged in, show them a login link that points to
the designated URL.

When they are logged in, show them a logout link that takes them to a
URL that clears the session cookie.

Am i missing something that makes this approach difficult or wrong?