Re: [TLS] HTTPS client-certificate-authentication in browsers

Henry Story <> Mon, 25 July 2011 12:32 UTC

Return-Path: <>
Received: from localhost (localhost []) by (Postfix) with ESMTP id F2AEE21F88DD for <>; Mon, 25 Jul 2011 05:32:01 -0700 (PDT)
X-Virus-Scanned: amavisd-new at
X-Spam-Flag: NO
X-Spam-Score: -3.599
X-Spam-Status: No, score=-3.599 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, RCVD_IN_DNSWL_LOW=-1]
Received: from ([]) by localhost ( []) (amavisd-new, port 10024) with ESMTP id Vua2M-kVeTXw for <>; Mon, 25 Jul 2011 05:32:01 -0700 (PDT)
Received: from ( []) by (Postfix) with ESMTP id 7281921F88DC for <>; Mon, 25 Jul 2011 05:32:00 -0700 (PDT)
Received: by wyj26 with SMTP id 26so3145163wyj.31 for <>; Mon, 25 Jul 2011 05:31:55 -0700 (PDT)
Received: by with SMTP id j14mr2244708wee.9.1311597115641; Mon, 25 Jul 2011 05:31:55 -0700 (PDT)
Received: from bblfish.home ( []) by with ESMTPS id k9sm3376094weq.3.2011. (version=TLSv1/SSLv3 cipher=OTHER); Mon, 25 Jul 2011 05:31:54 -0700 (PDT)
Mime-Version: 1.0 (Apple Message framework v1244.3)
Content-Type: text/plain; charset=us-ascii
From: Henry Story <>
In-Reply-To: <>
Date: Mon, 25 Jul 2011 14:31:52 +0200
Content-Transfer-Encoding: quoted-printable
Message-Id: <>
References: <>
To: Anders Rundgren <>
X-Mailer: Apple Mail (2.1244.3)
Subject: Re: [TLS] HTTPS client-certificate-authentication in browsers
X-Mailman-Version: 2.1.12
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <>
List-Unsubscribe: <>, <>
List-Archive: <>
List-Post: <>
List-Help: <>
List-Subscribe: <>, <>
X-List-Received-Date: Mon, 25 Jul 2011 12:32:02 -0000

Hi Anders, I kind of lurk here, but I don't think that client side
CAs are impossible to get right in the browsers. They are pretty close
to doing things right. Logout from the browsers would not be that difficult
to do. I kept thinking that the W3C project could stimulate
the improvement of these pieces.

But I would be interested in feedback from this list on the subject.


On 25 Jul 2011, at 14:06, Anders Rundgren wrote:

> Hi Guys,
> I don't really know who "owns" this question but presumably you do...
> HTTPS client-certificate-authentication in browsers
> ===================================================
> I don't believe that TLS CCA (Client Certificate Authentication) in the
> form of HTTPS as implemented in current browsers has much of a future.
> In fact, quite a bunch of the entities in the EU working with consumer PKI
> have replaced HTTPS CCA with an application level scheme which wasn't such
> a big deal since they anyway were forced writing a browser PKI client more
> or less from scratch since the ones shipped with browsers doesn't support
> PKI as defined by banks and government (like mandatory PIN codes also
> for on-line enrolled keys).
> That the TLS CCA protocol doesn't even support "Logout" haven't made
> it a logical choice for web developers either.  Well, there are some
> workarounds but they are by no means straightforward, supported
> out-of-the-box by server authentication schemes, and are (of course)
> entirely undocumented.
> The button "Clear SSL state" in MSIE is an indication how horribly bad it
> can go when security experts design systems for "people".
> There's no way you can hide the fact that TLS CCA is only truly useful
> securing tunnels between "boxes".
> Anders
> _______________________________________________
> TLS mailing list

Social Web Architect