Re: [TLS] Asking the browser for a different certificate

Wan-Teh Chang <wtc@google.com> Sat, 27 March 2010 00:11 UTC

Return-Path: <wtc@google.com>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost [127.0.0.1]) by core3.amsl.com (Postfix) with ESMTP id 658CA3A68C8 for <tls@core3.amsl.com>; Fri, 26 Mar 2010 17:11:26 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: -100.847
X-Spam-Level:
X-Spam-Status: No, score=-100.847 tagged_above=-999 required=5 tests=[BAYES_00=-2.599, DNS_FROM_OPENWHOIS=1.13, FM_FORGED_GMAIL=0.622, USER_IN_WHITELIST=-100]
Received: from mail.ietf.org ([64.170.98.32]) by localhost (core3.amsl.com [127.0.0.1]) (amavisd-new, port 10024) with ESMTP id sQZT0h+gnIrF for <tls@core3.amsl.com>; Fri, 26 Mar 2010 17:11:25 -0700 (PDT)
Received: from smtp-out.google.com (smtp-out.google.com [74.125.121.35]) by core3.amsl.com (Postfix) with ESMTP id DDD0F3A6B69 for <tls@ietf.org>; Fri, 26 Mar 2010 17:11:22 -0700 (PDT)
Received: from hpaq14.eem.corp.google.com (hpaq14.eem.corp.google.com [10.3.21.14]) by smtp-out.google.com with ESMTP id o2R0BfBu018154 for <tls@ietf.org>; Sat, 27 Mar 2010 01:11:42 +0100
DKIM-Signature: v=1; a=rsa-sha1; c=relaxed/relaxed; d=google.com; s=beta; t=1269648702; bh=I0jKqj2UMQLTeHxvOBBwAA7lOAY=; h=MIME-Version:In-Reply-To:References:Date:Message-ID:Subject:From: To:Cc:Content-Type; b=pg3m1Dh2YnXJI5wULihutMdiBuFMTuReyJrPcluxCJrYwTtO2D7z/TqR8D9huNa6Q d8t0qq7dZHeQ6KOw1577A==
DomainKey-Signature: a=rsa-sha1; s=beta; d=google.com; c=nofws; q=dns; h=mime-version:in-reply-to:references:date:message-id:subject:from:to: cc:content-type:x-system-of-record; b=hPm86sVeTqnSm2c/zOgHvVbpWymenVTrP7X7q7717i2YOjW2khEvRHdEHdX0vfKvy M0XzjHd2FzCeQM0E88ADg==
Received: from wwb29 (wwb29.prod.google.com [10.241.241.93]) by hpaq14.eem.corp.google.com with ESMTP id o2R0Benf019505 for <tls@ietf.org>; Sat, 27 Mar 2010 01:11:41 +0100
Received: by wwb29 with SMTP id 29so15494wwb.11 for <tls@ietf.org>; Fri, 26 Mar 2010 17:11:40 -0700 (PDT)
MIME-Version: 1.0
Received: by 10.216.13.140 with HTTP; Fri, 26 Mar 2010 17:11:40 -0700 (PDT)
In-Reply-To: <201003240314.o2O3ESig015991@fs4113.wdf.sap.corp>
References: <8FCB6B68-2EE5-4BC2-948B-A2640DDB9A93@bblfish.net> <201003240314.o2O3ESig015991@fs4113.wdf.sap.corp>
Date: Fri, 26 Mar 2010 17:11:40 -0700
Received: by 10.216.85.133 with SMTP id u5mr917187wee.91.1269648700446; Fri, 26 Mar 2010 17:11:40 -0700 (PDT)
Message-ID: <e8c553a61003261711j6e4d2c8ak40198a85b2ad0d46@mail.gmail.com>
From: Wan-Teh Chang <wtc@google.com>
To: mrex@sap.com
Content-Type: text/plain; charset=ISO-8859-1
X-System-Of-Record: true
Cc: tls@ietf.org
Subject: Re: [TLS] Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Sat, 27 Mar 2010 00:11:26 -0000

On Tue, Mar 23, 2010 at 8:14 PM, Martin Rex <mrex@sap.com> wrote:
>
> AFAIK, Apple Safari and Chrome, when running on Microsoft Windows,
> use the Microsoft WinHTTP API and therefore the Microsoft SChannel SSP
> as the TLS provider and much of the (default) behaviour might be that
> of WinHTTP rather than a conscious choice of the Browser designers.

Google Chrome 1.0 used WinHTTP.  Starting in Chrome 2.0, Chrome is
using the Microsoft SChannel directly.

Like MSIE, the Windows version of Chrome closes the network connection
while prompting the user to select a client certificate.  This could be due to
a limitation of the SChannel, but I agree with you that it's a very sensible
behavior.

Wan-Teh Chang