--
Joseph Holsten
http://josephholsten.com
mailto:jos...@josephholsten.com
tel:+1-918-948-6747
I'm certainly very interested in this tech. The only thing being that browsers have to be changed to improve this UX. Are there specific parts of the flow you'd like to see improved?
Sent from my Android phone
I use Firefox for my clent side certs. My friend uses Safari. In ff it's mostly click link, click yes, done. In safari you download the file and click it, which imports it to keychain.
Not surewhat IE does.
I'd reccomend getting a CAcert.org account so you can play with this.
Sent from my Android phone
On Nov 10, 2009 12:42 PM, "Joseph A Holsten" <jos...@josephholsten.com> wrote:
I got this question from a fellow via ardvark, and he phrased it
'Something like "Take this cert". "OK" and it is imported in the
browser.'
Of course, I can't even make Safari use client certs and I know the
difference between DER and BER encodings.
It seems that TLS defines a message for pushing the Server Certificate
chain to the client[1], and for requesting the Client Certificate, but
I can't see a way to push a private key + cert. So there may not be a
way to do this yet. And this is so not within scope of the hammer
disco stack.
For prototyping this, I assume Firefox and Chromium are options.
Webkit uses the system wide keychain, so that's probably a no-go.
1: 7.4.2 Server Certificate http://tools.ietf.org/html/rfc5246#section-7.4.2
2: 7.4.4 Certificate Request http://tools.ietf.org/html/rfc5246#section-7.4.4
On Nov 10, 2009, at 9:07 AM, Stephen Paul Weber wrote: > I'm certainly very interested in this tec...
--~--~---------~--~----~------------~-------~--~----~
You received this message because you are subscribed to the Google Groups "Diso Project" group.
To post to this group, send email to diso-p...@googlegroups.com
To unsubscribe from this group, send email to diso-project...@googlegroups.com
For more options, visit this group at http://groups.google.com/group/diso-project?hl=en
-~----------~----~----~----~------~----~------~--~---
I use certificate login on some websites, but I also use the same
certificate for signing email (and maybe at some point I'll use it for
IM login, too). IMHO the browser is not a keychain. That doesn't mean
any of this is easy, yet...
Peter
--
Peter Saint-Andre
https://stpeter.im/
Seems the wrong way to go about it: fixing UX by using new tech in a redundant way.
Also, oAuth really does solve a different problem,
Sent from my Android phone
On Nov 17, 2009 3:08 AM, "Joseph A Holsten" <jos...@josephholsten.com> wrote:On Nov 12, 2009, at 3:42 PM, Peter Saint-Andre wrote: > On 11/12/09 10:28 AM, Chris Messina wrote: >...
I was reviewing the OAuth draft again, and wondered if OAuth + TLS
using a standard server cert really handles the client authentication
+ encryption problem in as secure a fashion as client certs. Would it
make more sense to just improve OAuth in the browser?
I also wonder if there's value in an OAuth keychain. It's certainly
not the way OAuth was intended to be used, but I know the Apple
keychain has some ability to limit which apps can use which keys.
If browsers start having OAuth support, they're definitely going to
need a secure store for those OAuth tokens, so my malicious app
doesn't just dig through your Firefox config for access to tokens.
draft-hammer-oauth-05 §4.7 is server specific, and §4.8 only
recommends to hide the client credentials. Maybe I should mention that
on some OAuth list? Any idea which is the right one?
--
j
--
You received this message because you are subscribed to the Google Groups "Diso Project" group. To ...
For more options, visit this group at http://groups.google.com/group/diso-project?hl=.
--
You received this message because you are subscribed to the Google Groups "Diso Project" group.
To post to this group, send email to diso-p...@googlegroups.com.For more options, visit this group at http://groups.google.com/group/diso-project?hl=.
To unsubscribe from this group, send email to diso-project...@googlegroups.com.
I still see OAuth as about authorization / delegation, not authentication.
> I also wonder if there's value in an OAuth keychain. It's certainly
> not the way OAuth was intended to be used, but I know the Apple
> keychain has some ability to limit which apps can use which keys.
And how many people use that? :)
> If browsers start having OAuth support, they're definitely going to
> need a secure store for those OAuth tokens, so my malicious app
> doesn't just dig through your Firefox config for access to tokens.
Good point.
> draft-hammer-oauth-05 §4.7 is server specific, and §4.8 only
> recommends to hide the client credentials. Maybe I should mention that
> on some OAuth list? Any idea which is the right one?
https://www.ietf.org/mailman/listinfo/oauth (please)