client certificates

Discussion in 'ASP .Net Security' started by Shaun Wilde, Apr 6, 2005.

  1. Shaun Wilde

    Shaun Wilde Guest

    I am authenticating users to a site using client certificates and all is
    well
    except for a few issues.

    #1) Once a browser has been challenged, if the user leaves the site in the
    same browser and then returns the browser isn't recallenged even if the
    session has expired. Is there a way to force a rechallenge?

    #2) If I want to use the certificate to sign some data I'd like the user to
    present the password again to their certificate (to avoid the popped to
    toilet security scenario), this is for critical processes.

    I tried opening up child windows etc however it seems that parent/child
    windows share this authentication information by default and I can't see how
    to stop that?

    Thankx

    Shaun Wilde
    Shaun Wilde, Apr 6, 2005
    #1
    1. Advertising

  2. Shaun Wilde

    [MSFT] Guest

    Hello,

    #1) I think IE will display the cached content when you returns and it
    doesn't send request to server side. You may disable client cache with:

    <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

    and

    Response.Expire = -1

    #2) Can you explain more on this issue? I am not clear that why you need
    user input the password and why this page cannot be authenticated.

    Thanks,

    Luke
    [MSFT], Apr 7, 2005
    #2
    1. Advertising

  3. I'm not sure if you can do #1 with client certificates as that is handled by
    the client, not the server. There is a new IE 6 DOM method that allows you
    to clear client credentials, but I'm not sure if that works with
    certificates and it only supports that browser.

    Regarding #2, I don't understand what you mean. Are you trying to sign some
    data with the user's private key? To do that, you'll need code running on
    their workstation (.NET control or ActiveX). You don't have the user's
    private key on the server, so you can't sign anything server side.

    Can you explain more?

    Joe K.

    "Shaun Wilde" <> wrote in message
    news:...
    >I am authenticating users to a site using client certificates and all is
    > well
    > except for a few issues.
    >
    > #1) Once a browser has been challenged, if the user leaves the site in the
    > same browser and then returns the browser isn't recallenged even if the
    > session has expired. Is there a way to force a rechallenge?
    >
    > #2) If I want to use the certificate to sign some data I'd like the user
    > to
    > present the password again to their certificate (to avoid the popped to
    > toilet security scenario), this is for critical processes.
    >
    > I tried opening up child windows etc however it seems that parent/child
    > windows share this authentication information by default and I can't see
    > how
    > to stop that?
    >
    > Thankx
    >
    > Shaun Wilde
    >
    >
    Joe Kaplan \(MVP - ADSI\), Apr 7, 2005
    #3
  4. Shaun Wilde

    Shaun Wilde Guest

    #1) I'll give it a try

    #2) I wish to sign a document - to do so I need to send the data to the
    users browser - and the client will sign it using their client certificate
    (if the client ceetificate is protected by a password then the user should
    have to enter the password. Why? It is so if the user leaves their terminal
    unattended then a malicious user cannot sign it on their behalf as they
    would not know the password. Security!!

    I just don't know who to do this.


    "[MSFT]" <> wrote in message
    news:...
    > Hello,
    >
    > #1) I think IE will display the cached content when you returns and it
    > doesn't send request to server side. You may disable client cache with:
    >
    > <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
    >
    > and
    >
    > Response.Expire = -1
    >
    > #2) Can you explain more on this issue? I am not clear that why you need
    > user input the password and why this page cannot be authenticated.
    >
    > Thanks,
    >
    > Luke
    >
    Shaun Wilde, Apr 7, 2005
    #4
  5. Shaun Wilde

    Shaun Wilde Guest

    #1) thanks I'll look into it

    #2) I wish to sign a document (actually some XML data) - to do so I need to
    send the data to the users browser - and the client will sign it using their
    client certificate (if the client certificate is protected by a password
    then the user should have to enter the password. Why? It is so if the user
    leaves their terminal unattended then a malicious user cannot sign it on
    their behalf as they would not know the password. Security!!

    I just don't know who to do this.


    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > I'm not sure if you can do #1 with client certificates as that is handled

    by
    > the client, not the server. There is a new IE 6 DOM method that allows

    you
    > to clear client credentials, but I'm not sure if that works with
    > certificates and it only supports that browser.
    >
    > Regarding #2, I don't understand what you mean. Are you trying to sign

    some
    > data with the user's private key? To do that, you'll need code running on
    > their workstation (.NET control or ActiveX). You don't have the user's
    > private key on the server, so you can't sign anything server side.
    >
    > Can you explain more?
    >
    > Joe K.
    >
    > "Shaun Wilde" <> wrote in message
    > news:...
    > >I am authenticating users to a site using client certificates and all is
    > > well
    > > except for a few issues.
    > >
    > > #1) Once a browser has been challenged, if the user leaves the site in

    the
    > > same browser and then returns the browser isn't recallenged even if the
    > > session has expired. Is there a way to force a rechallenge?
    > >
    > > #2) If I want to use the certificate to sign some data I'd like the user
    > > to
    > > present the password again to their certificate (to avoid the popped to
    > > toilet security scenario), this is for critical processes.
    > >
    > > I tried opening up child windows etc however it seems that parent/child
    > > windows share this authentication information by default and I can't see
    > > how
    > > to stop that?
    > >
    > > Thankx
    > >
    > > Shaun Wilde
    > >
    > >

    >
    >
    Shaun Wilde, Apr 7, 2005
    #5
  6. If you want to sign a document, you will need code running on their
    workstation such as an ActiveX control or downloaded .NET control. The
    private key exists only on the user's workstation, not on the server.

    If your code accesses the private key, the user should be prompted for their
    password on the key (assuming the key is password protected). I'm not sure
    if this prompting is cached or not, so you would have to test that. Note
    that since this code will be independent of the web page, your code will
    trigger the request for the key password even if they already entered the
    password to view the page with their client certificate.

    Joe K.

    "Shaun Wilde" <> wrote in message
    news:...
    > #1) I'll give it a try
    >
    > #2) I wish to sign a document - to do so I need to send the data to the
    > users browser - and the client will sign it using their client certificate
    > (if the client ceetificate is protected by a password then the user should
    > have to enter the password. Why? It is so if the user leaves their
    > terminal
    > unattended then a malicious user cannot sign it on their behalf as they
    > would not know the password. Security!!
    >
    > I just don't know who to do this.
    >
    >
    > "[MSFT]" <> wrote in message
    > news:...
    >> Hello,
    >>
    >> #1) I think IE will display the cached content when you returns and it
    >> doesn't send request to server side. You may disable client cache with:
    >>
    >> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
    >>
    >> and
    >>
    >> Response.Expire = -1
    >>
    >> #2) Can you explain more on this issue? I am not clear that why you need
    >> user input the password and why this page cannot be authenticated.
    >>
    >> Thanks,
    >>
    >> Luke
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Apr 7, 2005
    #6
  7. Shaun Wilde

    Shaun Wilde Guest

    Ah - I see - I did wonder if it had to be something like that

    since however that I'd like to handle all browsers I'd have to
    consider a java applet rather than just an IE solution

    Do you know of any examples of these in ActiveX and/or Java?

    thanks

    Shaun Wilde

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:ezF$...
    > If you want to sign a document, you will need code running on their
    > workstation such as an ActiveX control or downloaded .NET control. The
    > private key exists only on the user's workstation, not on the server.
    >
    > If your code accesses the private key, the user should be prompted for

    their
    > password on the key (assuming the key is password protected). I'm not

    sure
    > if this prompting is cached or not, so you would have to test that. Note
    > that since this code will be independent of the web page, your code will
    > trigger the request for the key password even if they already entered the
    > password to view the page with their client certificate.
    >
    > Joe K.
    >
    > "Shaun Wilde" <> wrote in message
    > news:...
    > > #1) I'll give it a try
    > >
    > > #2) I wish to sign a document - to do so I need to send the data to the
    > > users browser - and the client will sign it using their client

    certificate
    > > (if the client ceetificate is protected by a password then the user

    should
    > > have to enter the password. Why? It is so if the user leaves their
    > > terminal
    > > unattended then a malicious user cannot sign it on their behalf as they
    > > would not know the password. Security!!
    > >
    > > I just don't know who to do this.
    > >
    > >
    > > "[MSFT]" <> wrote in message
    > > news:...
    > >> Hello,
    > >>
    > >> #1) I think IE will display the cached content when you returns and it
    > >> doesn't send request to server side. You may disable client cache with:
    > >>
    > >> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
    > >>
    > >> and
    > >>
    > >> Response.Expire = -1
    > >>
    > >> #2) Can you explain more on this issue? I am not clear that why you

    need
    > >> user input the password and why this page cannot be authenticated.
    > >>
    > >> Thanks,
    > >>
    > >> Luke
    > >>

    > >
    > >

    >
    >
    Shaun Wilde, Apr 8, 2005
    #7
  8. You might try Michel Gallant's web site for samples:

    www.jensign.com

    My guess is that you'll have a hard time getting this to work with a Java
    applet because the Java sandbox probably won't let you have access to the
    resources on the machine you need to do the actual work.

    Part of what you need to consider with signing is whether you want detached
    signatures or CMS/PKCS#7 Signed Data messages with the signature embedded.
    Either way though, it will probably be difficult getting this deployed.

    Joe K.

    "Shaun Wilde" <> wrote in message
    news:...
    > Ah - I see - I did wonder if it had to be something like that
    >
    > since however that I'd like to handle all browsers I'd have to
    > consider a java applet rather than just an IE solution
    >
    > Do you know of any examples of these in ActiveX and/or Java?
    >
    > thanks
    >
    > Shaun Wilde
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:ezF$...
    >> If you want to sign a document, you will need code running on their
    >> workstation such as an ActiveX control or downloaded .NET control. The
    >> private key exists only on the user's workstation, not on the server.
    >>
    >> If your code accesses the private key, the user should be prompted for

    > their
    >> password on the key (assuming the key is password protected). I'm not

    > sure
    >> if this prompting is cached or not, so you would have to test that. Note
    >> that since this code will be independent of the web page, your code will
    >> trigger the request for the key password even if they already entered the
    >> password to view the page with their client certificate.
    >>
    >> Joe K.
    >>
    >> "Shaun Wilde" <> wrote in message
    >> news:...
    >> > #1) I'll give it a try
    >> >
    >> > #2) I wish to sign a document - to do so I need to send the data to the
    >> > users browser - and the client will sign it using their client

    > certificate
    >> > (if the client ceetificate is protected by a password then the user

    > should
    >> > have to enter the password. Why? It is so if the user leaves their
    >> > terminal
    >> > unattended then a malicious user cannot sign it on their behalf as they
    >> > would not know the password. Security!!
    >> >
    >> > I just don't know who to do this.
    >> >
    >> >
    >> > "[MSFT]" <> wrote in message
    >> > news:...
    >> >> Hello,
    >> >>
    >> >> #1) I think IE will display the cached content when you returns and it
    >> >> doesn't send request to server side. You may disable client cache
    >> >> with:
    >> >>
    >> >> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
    >> >>
    >> >> and
    >> >>
    >> >> Response.Expire = -1
    >> >>
    >> >> #2) Can you explain more on this issue? I am not clear that why you

    > need
    >> >> user input the password and why this page cannot be authenticated.
    >> >>
    >> >> Thanks,
    >> >>
    >> >> Luke
    >> >>
    >> >
    >> >

    >>
    >>

    >
    >
    Joe Kaplan \(MVP - ADSI\), Apr 8, 2005
    #8
  9. Shaun Wilde

    Shaun Wilde Guest

    Hi Joe

    Thanks for the link.

    What would be the netscape soluton to this then?

    Regards

    "Joe Kaplan (MVP - ADSI)" <> wrote
    in message news:...
    > You might try Michel Gallant's web site for samples:
    >
    > www.jensign.com
    >
    > My guess is that you'll have a hard time getting this to work with a Java
    > applet because the Java sandbox probably won't let you have access to the
    > resources on the machine you need to do the actual work.
    >
    > Part of what you need to consider with signing is whether you want

    detached
    > signatures or CMS/PKCS#7 Signed Data messages with the signature embedded.
    > Either way though, it will probably be difficult getting this deployed.
    >
    > Joe K.
    >
    > "Shaun Wilde" <> wrote in message
    > news:...
    > > Ah - I see - I did wonder if it had to be something like that
    > >
    > > since however that I'd like to handle all browsers I'd have to
    > > consider a java applet rather than just an IE solution
    > >
    > > Do you know of any examples of these in ActiveX and/or Java?
    > >
    > > thanks
    > >
    > > Shaun Wilde
    > >
    > > "Joe Kaplan (MVP - ADSI)" <>

    wrote
    > > in message news:ezF$...
    > >> If you want to sign a document, you will need code running on their
    > >> workstation such as an ActiveX control or downloaded .NET control. The
    > >> private key exists only on the user's workstation, not on the server.
    > >>
    > >> If your code accesses the private key, the user should be prompted for

    > > their
    > >> password on the key (assuming the key is password protected). I'm not

    > > sure
    > >> if this prompting is cached or not, so you would have to test that.

    Note
    > >> that since this code will be independent of the web page, your code

    will
    > >> trigger the request for the key password even if they already entered

    the
    > >> password to view the page with their client certificate.
    > >>
    > >> Joe K.
    > >>
    > >> "Shaun Wilde" <> wrote in message
    > >> news:...
    > >> > #1) I'll give it a try
    > >> >
    > >> > #2) I wish to sign a document - to do so I need to send the data to

    the
    > >> > users browser - and the client will sign it using their client

    > > certificate
    > >> > (if the client ceetificate is protected by a password then the user

    > > should
    > >> > have to enter the password. Why? It is so if the user leaves their
    > >> > terminal
    > >> > unattended then a malicious user cannot sign it on their behalf as

    they
    > >> > would not know the password. Security!!
    > >> >
    > >> > I just don't know who to do this.
    > >> >
    > >> >
    > >> > "[MSFT]" <> wrote in message
    > >> > news:...
    > >> >> Hello,
    > >> >>
    > >> >> #1) I think IE will display the cached content when you returns and

    it
    > >> >> doesn't send request to server side. You may disable client cache
    > >> >> with:
    > >> >>
    > >> >> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
    > >> >>
    > >> >> and
    > >> >>
    > >> >> Response.Expire = -1
    > >> >>
    > >> >> #2) Can you explain more on this issue? I am not clear that why you

    > > need
    > >> >> user input the password and why this page cannot be authenticated.
    > >> >>
    > >> >> Thanks,
    > >> >>
    > >> >> Luke
    > >> >>
    > >> >
    > >> >
    > >>
    > >>

    > >
    > >

    >
    >
    Shaun Wilde, Apr 10, 2005
    #9
  10. I'm not really sure. The Java applet thing might still be possible, but you
    would need to find a way out of the sandbox I believe. I'm not at all
    experienced in that area, so I can't provide much advice.

    Is this application designed for internal corporate use? You might have a
    lot more deployment options in that scenario than you would have in a
    general one. Typically, client certificates only show up in closed
    implementations as most people don't have them.

    Joe K.

    "Shaun Wilde" <> wrote in message
    news:...
    > Hi Joe
    >
    > Thanks for the link.
    >
    > What would be the netscape soluton to this then?
    >
    > Regards
    >
    > "Joe Kaplan (MVP - ADSI)" <> wrote
    > in message news:...
    >> You might try Michel Gallant's web site for samples:
    >>
    >> www.jensign.com
    >>
    >> My guess is that you'll have a hard time getting this to work with a Java
    >> applet because the Java sandbox probably won't let you have access to the
    >> resources on the machine you need to do the actual work.
    >>
    >> Part of what you need to consider with signing is whether you want

    > detached
    >> signatures or CMS/PKCS#7 Signed Data messages with the signature
    >> embedded.
    >> Either way though, it will probably be difficult getting this deployed.
    >>
    >> Joe K.
    >>
    Joe Kaplan \(MVP - ADSI\), Apr 11, 2005
    #10
    1. Advertising

Want to reply to this thread or ask your own question?

It takes just 2 minutes to sign up (and it's free!). Just click the sign up button to choose a username and then you can ask your own questions on the forum.
Similar Threads
  1. Krishna
    Replies:
    0
    Views:
    390
    Krishna
    May 17, 2004
  2. Krishna
    Replies:
    1
    Views:
    3,594
    Krishna
    May 19, 2004
  3. Russ

    Client Certificates

    Russ, Jun 22, 2004, in forum: ASP .Net
    Replies:
    0
    Views:
    5,158
  4. News123
    Replies:
    9
    Views:
    3,082
    vilas
    Feb 15, 2012
  5. n33470

    Are SSL certificates and x.509 certificates the same?

    n33470, Dec 14, 2005, in forum: ASP .Net Web Services
    Replies:
    0
    Views:
    184
    n33470
    Dec 14, 2005
Loading...

Share This Page