Menu
▾
▴
Re: [Ejbca-develop] can move to next page with wrong password
|
From: ejbca-support <ejb...@pr...> - 2012-07-27 05:12:53
|
Hi Tanaka-San, The reason why this part may look a bit primitive is that it isn't really intended for large-scale usage. Most customers targeting such uses rather build a specific RA for this purpose where e-mail is typically used to provide a unique (signed) URL to the user rather than leaving a page open for arbitrary access. Then the user doesn't have to know the EJBCA username either, only the password since the username is an implicit part of the signed URL. However, feel free providing an upgrade to the public web. I can't though promise when and if it will be integrated because we are doing lots of new things on EJBCA all the time. Recently we made it conform to Common Criteria. Cheers, Anders PrimeKey tech support On 2012-07-27 06:47, Toru Tanaka wrote: > Hi Tomas, > Thank you for prompt reply. > I understood there is no special reason about this implementation. > > This point is designated by our custmer. > > The user can move next page even if wrong password is entered. > Therefore, > the user understand that they entered wrong password when the certificate did not issue. > Our customer feel that something is wrong. > > In addition, about the serucity aspect, > we think it is not very good that users can move next page when wrong password is entered. > > So, we consider it is better to change of this implementation. > Concretely, > if the user enter wrong password, user can not move next page. > > If our change is good, > would be it possible to consider marge of main ejbca? > > Toru Tanaka > > > > > 2012/7/27 Tomas Gustavsson <to...@pr... <mailto:to...@pr...>> > > __ Hi Toru, > > I think it is mostly historical and technical implementation reasons. Nothing is really sent to validate the information until after the second step. Technically there is no reason we could not validate it after the first step (as well). > > Cheers, > Tomas > > Toru Tanaka <tanaka_toru@g.ogis-ri.co.jp <mailto:tanaka_toru@g.ogis-ri.co.jp>> skrev: > > Hi all > > This is cofirmation of specification. > When we issue client certificate, > 1. Access Public Web Page > 2. Enter designated "user name" and "password" > 3. Choice bit number etc and download > > the above precedure is needed. > procedure is no problem. > But, in procedure 2 "Enter designated "user name" and "password"" > even if wrong password is entered, I can move next page. > #certificate cannot download. > > I wonder this implimentation. > Are there the reason of this implimentation ? > > Thanks in advance > > Toru Tanaka > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... <mailto:Ejb...@li...> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > > > > ------------------------------------------------------------------------------ > Live Security Virtual Conference > Exclusive live event will cover all the ways today's security and > threat landscape has changed and how IT managers can respond. Discussions > will include endpoint security, mobile security and the latest in malware > threats. http://www.accelacomm.com/jaw/sfrnl04242012/114/50122263/ > > > > _______________________________________________ > Ejbca-develop mailing list > Ejb...@li... > https://lists.sourceforge.net/lists/listinfo/ejbca-develop > |
