In the bug report below on Chrome the developer fixing his issue, came
accross the problem I am describing here
http://code.google.com/p/chromium/issues/detail?id=37765
It is a good thing to be able to ask or a certificate over https,
because that makes it impossible for a man in the middle to substitute
his foaf+ssl certificate, but change the web id to point to one of his
domains for example.
But of course you should not be asking for a client cert at that point
- as the client may not have one yet. And even if it did, that is not
required.
Henry
After creating an account on foaf.me the user ends up on a web page
where he can get his own certificate using keygen. The account
creation page
and the keygen page should be under https in a secure setup, but
neither of them
should be asking the user for a certificate.
So don't fix this immediately :-) Wait for Chromium to close that bug.
Henry
Oh yes, this is a usability bug on the side of foaf.me. But it is
useful, in that it is helping test Chromium, as Chromium should, on
being asked a certificate, return none automatically when it does not
have any.
So don't fix this immediately :-) Wait for Chromium to close that bug.
Henry
On Mar 10, 8:47 am, bblfish <henry.st...@gmail.com> wrote:
> So in more detail:
>
> After creating an account on foaf.me the user ends up on a web page
> where he can get his own certificate using keygen. The account
> creation page
> and the keygen page should be under https in a secure setup, but
> neither of them
> should be asking the user for a certificate.
>
> On Mar 10, 8:25 am, bblfish <henry.st...@gmail.com> wrote:
>
>
>
> > Hi,
>
> > In the bug report below on Chrome the developer fixing his issue, came
> > accross the problem I am describing here
>
> >http://code.google.com/p/chromium/issues/detail?id=37765
>
> > It is a good thing to be able to ask or a certificate over https,
> > because that makes it impossible for a man in the middle to substitute
> > his foaf+ssl certificate, but change the web id to point to one of his
> > domains for example.
>
> > But of course you should not be asking for a client cert at that point
> > - as the client may not have one yet. And even if it did, that is not
> > required.
>
> > Henry
--
You received this message because you are subscribed to the Google Groups "foaf.me" group.
To post to this group, send email to foa...@googlegroups.com.
To unsubscribe from this group, send email to foafme+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/foafme?hl=en.
As I've just said in <http://code.google.com/p/chromium/issues/detail?
id=37765#c11>, it's not wrong for https://foaf.me to ask for a
certificate.
Best wishes,
Bruno.