439
edits
PSM:CertPrompt: Difference between revisions
Jump to navigation
Jump to search
→Client Authentication Scenarios
| Line 29: | Line 29: | ||
'''Basic Client Authentication''': The client has exactly one certificate installed and it matches with the CA list sent to the user. | '''Basic Client Authentication''': The client has exactly one certificate installed and it matches with the CA list sent to the user. | ||
This is the base scenario that all the software has been designed for initially. Currently in PSM, 'select automatically' will present the one valid certificate to the server automatically. 'Ask every time' will present a dialog with the single certificate when you first connect. Future connections will only prompt if the ssl session id is cleared (either in the server or in the client). In IE the user will be prompted to supply the single valid certificate. IE will always use that certificate to authenticate. | This is the base scenario that all the software has been designed for initially. Currently in PSM, 'select automatically' will present the one valid certificate to the server automatically. 'Ask every time' will present a dialog with the single certificate when you first connect. The user may refuse to use the cert (in which case no cert is sent). Future connections will only prompt if the ssl session id is cleared (either in the server or in the client). In IE the user will be prompted to supply the single valid certificate. The user may refuse the cert, in which case no cert is sent. IE will always use that certificate to authenticate, even if the ssl session id is cleared, until the user closes IE or hits the 'Clear SSL Cache' button. | ||
'''Client Authentication with no Certificate''': The client has not client auth certificates. | '''Client Authentication with no Certificate''': The client has not client auth certificates. | ||
This is the 'common' case of a user trying to go to a site that uses client authentication. In the current PSM case, both 'select automatically' and 'Ask every time' will present no certificate | This is the 'common' case of a user trying to go to a site that uses client authentication. In the current PSM case, both 'select automatically' and 'Ask every time' will present no certificate and no prompt will be displayed to the user. If the server required client authentication, a connection error will be presented. If the server only requested client auth, the SSL connection completes and the server can present either an appropriate error, or request some sort of alternate authentication. PSM will not check for the existance of a new certificate unless the ssl session id is cleared. EI will always present an empty dialog. Once the user clicks 'cancel', EI will always present no certificate to the server, even if a new certificate appears and the server clears the ssl session id. | ||
'''SmartCard Client Authenticate''': The same as basic authentication except the one certificate lives in a smartCard that can be removed. | '''SmartCard Client Authenticate''': The same as basic authentication except the one certificate lives in a smartCard that can be removed. | ||
If the smartCard is present, any initial connection will operate just like "Basic Client Authentication" above. If the smartCard is removed, then PSM will | If the smartCard is present, any initial connection will operate just like "Basic Client Authentication" above. If the smartCard is removed, then PSM will clear the ssl session id, so future ssl connections will operate as if the smartCard is not present. In addition PSM can send a smartcard removal event to the webpage, which can be handled in javascript to reload the page. This allows automatic logout symantics. For IE, smartCard removal will not trigger any clearing of ssl session id, or change IE's cached notion of what certificate to use. The former has the effect of keeping the user logged in even if the card has been removed. Only clicking on the 'Clear SSL cache' button clear IE's session id and it's idea of what cert to use to authenticate. If the server clears the session id, and the smartCard has been removed IE will prompt for the smartCard to be reinserted. | ||
If the smartCard is not present, the initial connection will operate just like "Client Authentication with no Certificate" above. If the | If the smartCard is not present, the initial connection will operate just like "Client Authentication with no Certificate" above. If the smartCard is later inserted, PSM can send a smartCard insertion event to the web page. In this case the server will have to clear the ssl session id as PSM does not yet provide a way to do it. If the ssl session id is cleared and the page redrawn, PSM will operate again like "Basic Client Authentication". In the IE case, a later smartCard insertion will not trigger any new redraw, nor will IE reprompt the user if the ssl session id is cleared. The user will have to manually click the 'Clear SSL cache' button and manual reload the page. | ||
'''More than one certificate, only one is valid''': The client has more than one certificate, but only one matches the CA list. | '''More than one certificate, only one is valid''': The client has more than one certificate, but only one matches the CA list. | ||
| Line 47: | Line 47: | ||
'''SmartCard Authentication with multiple certs, only one valid''': The client has more than one certificate, the one valid certificate lives on the smartCard. | '''SmartCard Authentication with multiple certs, only one valid''': The client has more than one certificate, the one valid certificate lives on the smartCard. | ||
In PSM, this is exactly like the "SmartCard Client Authentication" case.* | |||
In IE, if the smartCard is not inserted, the user is presented with the list of certificates which do not mach the CA list sent by the server. The user can select from the list, or select none of the certs. IE remembers this choice even after the smartCard is inserted. The user will have to click the 'Clear SSL Cache' button to be able to authenticate with the smartCard. | |||
*This needs to be verified. A code review of PSM seems to indicate this is the case, but there has been some reports that if 'ask every is set', very different things happen. | |||
'''More than one certificate is valid''': The client has multiple certificates that are valid (matches the CA list). | '''More than one certificate is valid''': The client has multiple certificates that are valid (matches the CA list). | ||
This can happen either because the user has overlapping valid certificates (the user has renewed a certificate before it has actually expired), or the user has multiple certificates associated with different roles on the server. | |||
In this case if 'Select automatically' is sent in PSM, PSM will select the 'most appropriate certificate'. In the case where different roles may be associated with the different certificates, PSM may or may not pick the correct certificate (as it has no information about what role the user wishes to use). If 'Ask Every' is set, PSM will present a dialog with all the certs which match the CA list, including expired certs. | |||
IE treats this case the same as "More than one certificate, only one is valid". | |||
'''Client has expired certificate''': The client has certificates which are expired, but match the CA. | '''Client has expired certificate''': The client has certificates which are expired, but match the CA. | ||
This scenario typically happens if either 1) the user lets his certificate laps, or 2) in the renewal case. In PSM only unexpired certificates that match the CA are used in the 'Select automatically' case. If there are no unexpired certificates, PSM sends no certificates. In the 'Ask every' case expired certificates are listed at the end and marked expired. IE lists all certificates, expired or not. | |||
'''Multiple certificates, none match''': The client has multiple certificates, but none match the server list. This can be because 1) the client has never been registered with the server and cannot authenticate to the it, or 2) the server does not include a complete list of CA in it's CA list, or the CA list is incorrectly configured. | '''Multiple certificates, none match''': The client has multiple certificates, but none match the server list. This can be because 1) the client has never been registered with the server and cannot authenticate to the it, or 2) the server does not include a complete list of CA in it's CA list, or the CA list is incorrectly configured. | ||
<text> | <text> | ||