HTTPS client-certificate-authentication in browsers
Anders Rundgren
I don't really know who "owns" this question but presumably you do...
HTTPS client-certificate-authentication in browsers
===================================================
I don't believe that TLS CCA (Client Certificate Authentication) in the
form of HTTPS as implemented in current browsers has much of a future.
In fact, quite a bunch of the entities in the EU working with consumer PKI
have replaced HTTPS CCA with an application level scheme which wasn't such
a big deal since they anyway were forced writing a browser PKI client more
or less from scratch since the ones shipped with browsers doesn't support
PKI as defined by banks and government (like mandatory PIN codes also
for on-line enrolled keys).
That the TLS CCA protocol doesn't even support "Logout" haven't made
it a logical choice for web developers either. Well, there are some
workarounds but they are by no means straightforward, supported
out-of-the-box by server authentication schemes, and are (of course)
entirely undocumented.
The button "Clear SSL state" in MSIE is an indication how horribly bad it
can go when security experts design systems for "people".
There's no way you can hide the fact that TLS CCA is only truly useful
securing tunnels between "boxes".
Anders