Menu
▾
▴
Re: [Ejbca-develop] Who should decide?
|
From: Tomas G. <to...@pr...> - 2014-11-15 06:49:12
|
I think Firefox is more concerned about usability than the openvpn client :). If you let the user select expired certificates, which will not be accepted by the server, the support organization risks getting lots of calls from users making the wrong choice. Ie they have a new certificate, but tries to select an old one for authentication The user friendliness and support issue is another aspect of the whole puzzle. Cheers, Tomas On November 15, 2014 12:08:37 AM CET, Hans Witvliet <hw...@a-...> wrote: >Thanks Tomas, > >If it was an optional feature on the client, yes. >but afaics this if forced upon my by firefox, no choice.... > >And if you lay the responsibility with the client,what is the purpose >of >checking it on the server side (devils advocate) > >I mean, when connecting to an ssl webserver, you are given lots of >choices whether or not to accept risky exceptions, like untrustworthy >CA's. (are you sure etc etc) >These are possible exceptions on others certificates. >You should not accept them, but you have the choice, so you could. > >And there should be no exception for an expired certificate of my own? > >Strange, not? > >It make we wonder whether openvpn is an exception in it forgivenness, >or firefox an exception is being so strict..... > >Hans > > >On Fri, 2014-11-14 at 19:55 +0100, Tomas Gustavsson wrote: >> My spontaneous opinion would definitely be B), where the expired >> certificate is not accepted. A new card have to be issued. >> >> No risk of configuring wrongly on the server side. >> >> Cheers, >> Tomas >> >> On 2014-11-13 23:33, Hans Witvliet wrote: >> > Dear all, >> > >> > >> > Last week I was in a discussion about the acceptance of >certificates. >> > >> > As you all here have a solid experience with certificates, and >whether >> > or not one should accept one, i would like to know about your >P.O.V. >> > >> > The situation is as following: >> > If you have a certificate that is neither expired nor revoked it is >> > obvious that one should be able to use it for client-authentication >> > >> > But in this case something went wrong during issuing [they should >have >> > been using ejbca instead of some vague proprietary system], and the >> > validity-period was set to three months instead of three years.... >Often >> > you see that the cert gets revoked automatically, but not in this >case. >> > >> > a) If i use such certificate for openvpn, the client does not care, >but >> > it is up to the server-side to decide whether it will accept the >> > connection or not. >> > >> > b) if i use such certificate for https, i noticed that the client >(in >> > this case firefox) bluntly refuse to try to start the connection, >> > because the validity date has expired. >> > >> > Both parties know & trust each other, but the cert can not be >re-issued >> > (the best solution) because it is glued inside a smartcard. >> > >> > So what is the proper behavior? >> > Situation A) where the server decide what to accept or not, or B) >where >> > the decision is taken out of their hands? >> > >> > I am curios about the opinion of a "trusted third party" ;-) >> > >> > Hans >> > >> > >------------------------------------------------------------------------------ >> > Comprehensive Server Monitoring with Site24x7. >> > Monitor 10 servers for $9/Month. >> > Get alerted through email, SMS, voice calls or mobile push >notifications. >> > Take corrective actions from your mobile device. >> > >http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >> > _______________________________________________ >> > Ejbca-develop mailing list >> > Ejb...@li... >> > https://lists.sourceforge.net/lists/listinfo/ejbca-develop >> > >> >> >------------------------------------------------------------------------------ >> Comprehensive Server Monitoring with Site24x7. >> Monitor 10 servers for $9/Month. >> Get alerted through email, SMS, voice calls or mobile push >notifications. >> Take corrective actions from your mobile device. >> >http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >> _______________________________________________ >> Ejbca-develop mailing list >> Ejb...@li... >> https://lists.sourceforge.net/lists/listinfo/ejbca-develop > > >------------------------------------------------------------------------------ >Comprehensive Server Monitoring with Site24x7. >Monitor 10 servers for $9/Month. >Get alerted through email, SMS, voice calls or mobile push >notifications. >Take corrective actions from your mobile device. >http://pubads.g.doubleclick.net/gampad/clk?id=154624111&iu=/4140/ostg.clktrk >_______________________________________________ >Ejbca-develop mailing list >Ejb...@li... >https://lists.sourceforge.net/lists/listinfo/ejbca-develop |
