[foaf-protocols] inducing IE to treat its client cert selector much like an infocard selector

Peter Williams pwilliams at rapattoni.com
Thu Nov 26 15:59:23 CET 2009



Im hoping that folks are now understanding that the "trust" layer of https is entirely NOT standardized. Each of the vendors does their own thing. Here is one interesting thing that IE does that may be relevant to foaf+ssl.

It says at the end, that IE sends all client certs (rather than the one that a user picks). I suspect that this is sloppy writing.

What is interesting is that this is not limited to IIS webservers ; its any listener/deamon that is using the schannel component for handling SSL. One interesting server is the scriptable proxy at fiddlertool.com - that uses native windows libraries for SSL.



sendTrustedIssuerList
Registry path
HKLM SYSTEM\CurrentControlSet\Control\SecurityProviders\SCHANNEL

Version
Windows Server 2003
This entry controls the flag controlling sending of list of trusted issuers. In the case of servers that trust hundreds of certificate authorities for client authentication, there are too many issuers for the server to be able to send them all to the client when requesting client authentication. In this situation, this registry key can be set, and instead of sending a partial list, Schannel will not send any to the client.
Not sending a list of trusted issuers might impact what the client sends when asked for a client certificate. For example, when Internet Explorer receives a request for client authentication, it only displays the client certificates that chain up to one of the certificate authorities that is sent by the server. If the server did not send a list, then Internet Explorer displays all of the client certificates that are installed on the client machine. This behavior might be desirable, when PKI environments include cross certificates, the client and server certificates will not have the same Root CA and therefore, Internet Explorer cannot chose a certificate that chains up to on of the server's CAs. By configuring the server to not send a trusted issuer list then Internet Explorer will send all its certificates.
This entry does not exist in the registry by default. This value is true by default.

-------------- next part --------------
An HTML attachment was scrubbed...
URL: http://lists.foaf-project.org/pipermail/foaf-protocols/attachments/20091126/964feb6f/attachment.htm 


More information about the foaf-protocols mailing list