[TLS] Asking the browser for a different certificate

Story Henry <henry.story@bblfish.net> Wed, 24 March 2010 00:07 UTC

Return-Path: <hjs@bblfish.net>
X-Original-To: tls@core3.amsl.com
Delivered-To: tls@core3.amsl.com
Received: from localhost (localhost []) by core3.amsl.com (Postfix) with ESMTP id 8F62F3A67AE for <tls@core3.amsl.com>; Tue, 23 Mar 2010 17:07:11 -0700 (PDT)
X-Virus-Scanned: amavisd-new at amsl.com
X-Spam-Flag: NO
X-Spam-Score: 1.75
X-Spam-Level: *
X-Spam-Status: No, score=1.75 tagged_above=-999 required=5 tests=[BAYES_50=0.001, DNS_FROM_OPENWHOIS=1.13, RCVD_IN_SORBS_WEB=0.619]
Received: from mail.ietf.org ([]) by localhost (core3.amsl.com []) (amavisd-new, port 10024) with ESMTP id hUZwcmywtVEL for <tls@core3.amsl.com>; Tue, 23 Mar 2010 17:07:10 -0700 (PDT)
Received: from bblfish.net (rust.entic.net []) by core3.amsl.com (Postfix) with ESMTP id B9C8C3A6B59 for <tls@ietf.org>; Tue, 23 Mar 2010 17:07:10 -0700 (PDT)
Received: from dan75-8-88-181-10-216.fbx.proxad.net ([] helo=bblfish.wistro) by bblfish.net with esmtpsa (TLSv1:AES128-SHA:128) (Exim 4.68) (envelope-from <hjs@bblfish.net>) id 1NuE89-00007R-Q7 for tls@ietf.org; Tue, 23 Mar 2010 17:07:30 -0700
From: Story Henry <henry.story@bblfish.net>
Content-Type: text/plain; charset=us-ascii
Content-Transfer-Encoding: quoted-printable
Date: Wed, 24 Mar 2010 01:07:21 +0100
Message-Id: <8FCB6B68-2EE5-4BC2-948B-A2640DDB9A93@bblfish.net>
To: tls@ietf.org
Mime-Version: 1.0 (Apple Message framework v1077)
X-Mailer: Apple Mail (2.1077)
Sender: hjs@bblfish.net
Subject: [TLS] Asking the browser for a different certificate
X-BeenThere: tls@ietf.org
X-Mailman-Version: 2.1.9
Precedence: list
List-Id: "This is the mailing list for the Transport Layer Security working group of the IETF." <tls.ietf.org>
List-Unsubscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=unsubscribe>
List-Archive: <http://www.ietf.org/mail-archive/web/tls>
List-Post: <mailto:tls@ietf.org>
List-Help: <mailto:tls-request@ietf.org?subject=help>
List-Subscribe: <https://www.ietf.org/mailman/listinfo/tls>, <mailto:tls-request@ietf.org?subject=subscribe>
X-List-Received-Date: Wed, 24 Mar 2010 00:07:11 -0000


Is there a way for a server to get the browser to ask the user for a new certificate? It seems that a lot of browsers send certificates automatically. Safari is the worst, in that once it makes a decision it never asks the user again it seems. Firefox and Opera ask the user again on restart. This is a problem in a number of situations, such as if the user mistakenly selects the wrong cert. The user experience is really bad as a result.

It seems to me that the browser should show the user what certificate it is using on a connection, and allow the user to change the certificate if he wants to change persona. That seems to me to be a very important piece of feedback.

I filed an issue in Google Chrome for this

Please vote on it.

But perhaps there is also a way to do this at a deeper TLS level from the server side. I found that having different server certs at different ports works. But that is to say the least extremely clunky.

Perhaps I have missed something.


Social Web Architect