Am Freitag, den 07.09.2007, 10:04 -0400 schrieb Arshad Noor: > Alex, > > Do you presume that the websites in the domains that you intend > to track users will install the self-signed CA certificate that > issued the client-certificate to the unsuspecting user? If not, > how will the browser know which client certificate to send to > the website during client-auth? And what happens to the users In TLS, the Server can for example request that the Cert was issued by a certain CA, to select from multiple installed certificates. > who do not have have client-certs issued by this CA when they > attempt to connect to the site? From RFC4346: If no suitable certificate is available, the client SHOULD send a certificate message containing no certificates. That is, the certificate_list structure has a length of zero. If client authentication is required by the server for the handshake to continue, it may respond with a fatal handshake failure alert. So the connection can still be continued.
Attachment:
signature.asc
Description: Dies ist ein digital signierter Nachrichtenteil
_______________________________________________ Full-Disclosure - We believe in it. Charter: http://lists.grok.org.uk/full-disclosure-charter.html Hosted and sponsored by Secunia - http://secunia.com/