Updates:
Cc: -
sle...@google.com
Labels: Needs-Feedback
Comment #45 on issue 268055 by
rsl...@chromium.org: "No Certificates Found"
https://code.google.com/p/chromium/issues/detail?id=268055
Note: This bug has grown a number of comments, making it difficult to
triage. I'm going to set a Needs-Feedback flag on this; those that are
encountering issues are requested to provide a chrome
net-internals/net-export log (see
https://dev.chromium.org/for-testers/providing-network-details )
However, please be aware: If a website requests client certificate
authentication (whether in require or want mode - if it requests it *at
all*), then this behaviour is expected and by design as part of the Android
security model.
If you are using client certificate authentication, and are an Enterprise,
you can use the android.app.admin APIs to handle and suppress prompts, as
appropriate to your enterprise config, through the use of an MDM
application.
If you are a user, and seeing this on random sites, the *server* is at
fault. While we can suppress these prompts on some platforms Chrome runs on
(such as common desktop platforms), the enhanced security and privacy
design of Android do not make it possible for applications - where Chrome
or evil hostile applications - to find out your identities in a way that
would let us suppress the prompt if you don't have any. However, the
server, not Chrome, is the one misconfigured for requesting it in the first
place.
I'm not directly closing this as WontFix, in the slight event that someone
has a net-internals log that suggests there might be a Chrome bug where the
server *isn't* requesting it, but based on these comments, that does not
appear to be the case. We will likely WontFix this, for working as
intended, for the reasons described above.