https://foaf.me asks for a client cert

0 views
Skip to first unread message

bblfish

unread,
Mar 10, 2010, 2:25:50 AM3/10/10
to foaf.me
Hi,

In the bug report below on Chrome the developer fixing his issue, came
accross the problem I am describing here

http://code.google.com/p/chromium/issues/detail?id=37765

It is a good thing to be able to ask or a certificate over https,
because that makes it impossible for a man in the middle to substitute
his foaf+ssl certificate, but change the web id to point to one of his
domains for example.

But of course you should not be asking for a client cert at that point
- as the client may not have one yet. And even if it did, that is not
required.

Henry

bblfish

unread,
Mar 10, 2010, 2:47:17 AM3/10/10
to foaf.me
So in more detail:

After creating an account on foaf.me the user ends up on a web page
where he can get his own certificate using keygen. The account
creation page
and the keygen page should be under https in a secure setup, but
neither of them
should be asking the user for a certificate.

bblfish

unread,
Mar 10, 2010, 3:23:35 AM3/10/10
to foaf.me
Oh yes, this is a usability bug on the side of foaf.me. But it is
useful, in that it is helping test Chromium, as Chromium should, on
being asked a certificate, return none automatically when it does not
have any.

So don't fix this immediately :-) Wait for Chromium to close that bug.

Henry

Melvin Carvalho

unread,
Mar 10, 2010, 6:59:06 AM3/10/10
to foa...@googlegroups.com


2010/3/10 bblfish <henry...@gmail.com>

Oh yes, this is a usability bug on the side of foaf.me. But it is
useful, in that it is helping test Chromium, as Chromium should, on
being asked a certificate, return none automatically when it does not
have any.

So don't fix this immediately :-) Wait for Chromium to close that bug.

Thanks for the bug report.  A ticket has been filed.

See your reward here: http://reward.me/64

:)
 

Henry

On Mar 10, 8:47 am, bblfish <henry.st...@gmail.com> wrote:
> So in more detail:
>
>    After creating an account on foaf.me the user ends up on a web page
> where he can get his own certificate using keygen. The account
> creation page
> and the keygen page should be under https in a secure setup, but
> neither of them
> should be asking the user for a certificate.
>
> On Mar 10, 8:25 am, bblfish <henry.st...@gmail.com> wrote:
>
>
>
> > Hi,
>
> > In the bug report below on Chrome the developer fixing his issue, came
> > accross the problem I am describing here
>
> >http://code.google.com/p/chromium/issues/detail?id=37765
>
> > It is a good thing to be able to ask or a certificate over https,
> > because that makes it impossible for a man in the middle to substitute
> > his foaf+ssl certificate, but change the web id to point to one of his
> > domains for example.
>
> > But of course you should not be asking for a client cert at that point
> > - as the client may not have one yet. And even if it did, that is not
> > required.
>
> > Henry

--
You received this message because you are subscribed to the Google Groups "foaf.me" group.
To post to this group, send email to foa...@googlegroups.com.
To unsubscribe from this group, send email to foafme+un...@googlegroups.com.
For more options, visit this group at http://groups.google.com/group/foafme?hl=en.


Bruno Harbulot

unread,
Mar 10, 2010, 5:14:39 AM3/10/10
to foaf.me
Hi,

As I've just said in <http://code.google.com/p/chromium/issues/detail?
id=37765#c11>, it's not wrong for https://foaf.me to ask for a
certificate.

Best wishes,

Bruno.

Akbar Hossain

unread,
Mar 10, 2010, 4:19:10 PM3/10/10
to foa...@googlegroups.com
Hi Henry,

Let me know when and I can look into switching the certificate request off on the ceritificate issuance script.

Thanks



Reply all
Reply to author
Forward
0 new messages