439
edits
PSM:CertPrompt: Difference between revisions
→Client Authentication Scenarios
No edit summary |
|||
| Line 27: | Line 27: | ||
== Client Authentication Scenarios == | == Client Authentication Scenarios == | ||
'''Basic Client Authentication''': The client has exactly one certificate installed | '''Basic Client Authentication''': The client has exactly one certificate installed and it matches with the CA list sent to the user. | ||
This is the base scenario that all the software has been designed for initially. Currently in PSM, 'select automatically' will present the one valid certificate to the server automatically. 'Ask every time' will present a dialog with the single certificate when you first connect. Future connections will only prompt if the ssl session id is cleared (either in the server or in the client). In IE the user will be prompted to supply the single valid certificate. IE will always use that certificate to authenticate. | This is the base scenario that all the software has been designed for initially. Currently in PSM, 'select automatically' will present the one valid certificate to the server automatically. 'Ask every time' will present a dialog with the single certificate when you first connect. Future connections will only prompt if the ssl session id is cleared (either in the server or in the client). In IE the user will be prompted to supply the single valid certificate. IE will always use that certificate to authenticate. | ||
| Line 35: | Line 35: | ||
This is the 'common' case of a user trying to go to a site that uses client authentication. In the current PSM case, both 'select automatically' and 'Ask every time' will present no certificate without any user intervention. If the server required client authentication, a connection error will be presented. If the server only requested client auth, the SSL connection completes and the server can present either an appropriate error, or request some sort of alternate authentication. PSM will not check for the existance of a new certificate as long as the ssl session id is valid (which it typically will remain unless the server invalidates it's copy). EI will always present an empty dialog. Once the user clicks 'cancel', EI will always present no certificate to the server, even if a new certificate appears and the server invalidates the ssl session. | This is the 'common' case of a user trying to go to a site that uses client authentication. In the current PSM case, both 'select automatically' and 'Ask every time' will present no certificate without any user intervention. If the server required client authentication, a connection error will be presented. If the server only requested client auth, the SSL connection completes and the server can present either an appropriate error, or request some sort of alternate authentication. PSM will not check for the existance of a new certificate as long as the ssl session id is valid (which it typically will remain unless the server invalidates it's copy). EI will always present an empty dialog. Once the user clicks 'cancel', EI will always present no certificate to the server, even if a new certificate appears and the server invalidates the ssl session. | ||
''' | '''SmartCard Client Authenticate''': The same as basic authentication except the one certificate lives in a smartCard that can be removed. | ||
If the | If the smartCard is present, any initial connection will operate just like "Basic Client Authentication" above. If the smartCard is removed, then PSM will invalidate the ssl session, so future ssl connections will operate as if the $smartCard is not present. In addition PSM can send a smartcard removal event to the webpage, which can be handled in javascript to reload the page. This allows automatic logout symantics. For IE, $smartCard removal will not trigger any session cache invalidation, or change IE's cached notion of what certificate to use. | ||
If the | If the smartCard is not present, the initial connection will operate just like "Client Authentication with no Certificate" above. If the $smartCard is later inserted, PSM can send a smartcard insertion event to the webpage. In this case the server will have to invalidate the session cache as PSM does not yet provide a way to do it. If the session cache is invalidated and the page redrawn, PSM will operate again like "Basic Client Authentication". In the IE case, a later $smartCard insertion will not trigger any new redraw, and the user will have to manually clear the ssl session cache and redraw the page. | ||
'''More than one certificate, only one is valid''': The client has more than one certificate, but only one matches the CA list. | |||
PSM treats this exactly the same as one certificate. Only the matching certificate is placed in any prompts. In IE all certificates are placed in the initial prompt and the user has to figure out which certificate is valid. | |||
'''SmartCard Authentication with multiple certs, only one valid''': The client has more than one certificate, the one valid certificate lives on the smartCard. | |||
<text> | |||
'''More than one certificate is valid''': The client has multiple certificates that are valid (matches the CA list). | |||
<text> | |||
'''Client has expired certificate''': The client has certificates which are expired, but match the CA. | |||
<text> | |||
'''Multiple certificates, none match''': The client has multiple certificates, but none match the server list. This can be because 1) the client has never been registered with the server and cannot authenticate to the it, or 2) the server does not include a complete list of CA in it's CA list, or the CA list is incorrectly configured. | |||
<text> | |||