client certificates

[Shaun Wilde]

I am authenticating users to a site using client certificates and all is
well
except for a few issues.

#1) Once a browser has been challenged, if the user leaves the site in the
same browser and then returns the browser isn't recallenged even if the
session has expired. Is there a way to force a rechallenge?

#2) If I want to use the certificate to sign some data I'd like the user to
present the password again to their certificate (to avoid the popped to
toilet security scenario), this is for critical processes.

I tried opening up child windows etc however it seems that parent/child
windows share this authentication information by default and I can't see how
to stop that?

Thankx

Shaun Wilde

 

[[MSFT]]

Hello,

#1) I think IE will display the cached content when you returns and it
doesn't send request to server side. You may disable client cache with:

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

and

Response.Expire = -1

#2) Can you explain more on this issue? I am not clear that why you need
user input the password and why this page cannot be authenticated.

Thanks,

Luke

 

[Joe Kaplan \(MVP - ADSI\)]

I'm not sure if you can do #1 with client certificates as that is handled by
the client, not the server. There is a new IE 6 DOM method that allows you
to clear client credentials, but I'm not sure if that works with
certificates and it only supports that browser.

Regarding #2, I don't understand what you mean. Are you trying to sign some
data with the user's private key? To do that, you'll need code running on
their workstation (.NET control or ActiveX). You don't have the user's
private key on the server, so you can't sign anything server side.

Can you explain more?

Joe K.

 

[Shaun Wilde]

#1) I'll give it a try

#2) I wish to sign a document - to do so I need to send the data to the
users browser - and the client will sign it using their client certificate
(if the client ceetificate is protected by a password then the user should
have to enter the password. Why? It is so if the user leaves their terminal
unattended then a malicious user cannot sign it on their behalf as they
would not know the password. Security!!

I just don't know who to do this.

 

[Shaun Wilde]

#1) thanks I'll look into it

#2) I wish to sign a document (actually some XML data) - to do so I need to
send the data to the users browser - and the client will sign it using their
client certificate (if the client certificate is protected by a password
then the user should have to enter the password. Why? It is so if the user
leaves their terminal unattended then a malicious user cannot sign it on
their behalf as they would not know the password. Security!!

I just don't know who to do this.

 

[Joe Kaplan \(MVP - ADSI\)]

If you want to sign a document, you will need code running on their
workstation such as an ActiveX control or downloaded .NET control. The
private key exists only on the user's workstation, not on the server.

If your code accesses the private key, the user should be prompted for their
password on the key (assuming the key is password protected). I'm not sure
if this prompting is cached or not, so you would have to test that. Note
that since this code will be independent of the web page, your code will
trigger the request for the key password even if they already entered the
password to view the page with their client certificate.

Joe K.

 

[Shaun Wilde]

Ah - I see - I did wonder if it had to be something like that

since however that I'd like to handle all browsers I'd have to
consider a java applet rather than just an IE solution

Do you know of any examples of these in ActiveX and/or Java?

thanks

Shaun Wilde

 

[Joe Kaplan \(MVP - ADSI\)]

You might try Michel Gallant's web site for samples:

www.jensign.com

My guess is that you'll have a hard time getting this to work with a Java
applet because the Java sandbox probably won't let you have access to the
resources on the machine you need to do the actual work.

Part of what you need to consider with signing is whether you want detached
signatures or CMS/PKCS#7 Signed Data messages with the signature embedded.
Either way though, it will probably be difficult getting this deployed.

Joe K.

 

[Shaun Wilde]

Hi Joe

Thanks for the link.

What would be the netscape soluton to this then?

Regards

 

[Joe Kaplan \(MVP - ADSI\)]

I'm not really sure. The Java applet thing might still be possible, but you
would need to find a way out of the sandbox I believe. I'm not at all
experienced in that area, so I can't provide much advice.

Is this application designed for internal corporate use? You might have a
lot more deployment options in that scenario than you would have in a
general one. Typically, client certificates only show up in closed
implementations as most people don't have them.

Joe K.