Closed Bug 416809 Opened 17 years ago Closed 16 years ago

Create 3rd option for Client Certificate Selection: User Defined Default Selection


(Firefox :: Settings UI, enhancement)

Not set





(Reporter: weisz, Unassigned)


User-Agent:       Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv: Gecko/20071108 SeaMonkey/1.1.6
Build Identifier: Mozilla/5.0 (X11; U; SunOS sun4u; en-US; rv: Gecko/20071108 SeaMonkey/1.1.6

For different roles I may assume defining the access rights to different web pages I have different cryptographic key/certificate pairs.

When accessing multiple such pages requiring the same certificate which isn't the choice mozilla makes according to its own algorithm, the choice of "Ask Every Time" results in a tedious re-choosing the same certificate which may even happen a multiple times per page. The possibility to (re-)define permanently or for a session the key and certificate that mozilla will take automatically for each request from the server will enhance the usability very much. This is similar to the already existing facility to define different certificate/key pairs for different mail accounts in Thunderbird/Seamonkey.

Therefore my request for enhancement: Add a third option to the Client Certificate Selection: Select a Certificate to be Used Automatically.

My use of multiple key pairs is different from the case already mentioned in another bug report where multiple people use the same mozilla profile resulting in a security-wise undesirable sharing of the password for the Software Security Device. The fact that the latter scenario would also profit from the requested feature shouldn't be a deterrent.

Reproducible: Always

Steps to Reproduce:
I forgot to mention that the certificates belonging to different key pairs have, of course, differing Subject Distinguished Names.
A server that requests client authentication multiple times per page, 
or even for every page, is a server that has a broken, nonfunctional,
or incorrectly configured SSL session cache. This is a server defect. 

SSL was designed to facilitate repeated connections between the same 
client and server without necessitating a "full" handshake that exchanges 
certificates and signatures every time.  Mozilla browsers contain full
support for this feature of SSL, but apparently many servers (especially
free open source servers) do not.

Browser users seem to assume that, since the browser is presenting them
with the requests for cert selection, the browser must be at fault, and
a change to the browser is suggested.  It would really be best for all
concerned for the users of these deficient servers to lean on the server
makers, and get them to make these SSL server session caches work as 
intended in the SSL/TLS RFC.
I will add that some server admins intentionally configured their servers 
to disable the session cache, because they want the browser user to be able
to choose a potentially different cert for every page.  They understand that
when the client and server both implement the session cache, after the 
first connection between a client and server, the server will not ask the 
client to reauthenticate again for some period of time, and the user will
not have an opportunity to change his mind about the cert with which he 
will be identified until the server asks again.  They are trying to solve
the "problem" of browser users not having the ability to choose a different
cert whenever he pleases.  

However, there is a much better solution to that problem than to disable the
server's session cache.  The SSL client can always, and at any time, choose
to "forget" the information about its session with any remote server (or all
remote servers).  Doing so will force a reauthentication on the next 
connection to the affected server(s).  

The questions for the browser are:
- Is there a way (some UI, such as a menu item or dialog button) for the 
browser user to cause his session information for one (or all) server(s) 
to be forgotten? 
- If so, what is it?  

In WinXP, MS IE has a button labeled "Clear SSL State" in the Content tab
of the Internet Options dialog (Tools->Internet Options).  That button has 
the effect of forgetting the session information for all SSL sessions with
all servers.  I expect that the Firefox UI gurus could design a better 
solution, including the ability to delete just a single server's session
information, if they really want to.
I've been told that in FF3, Tools->"Clear Private Data" brings up a dialog
in which you can clear the client's ssl session cache.
Closed: 16 years ago
Resolution: --- → DUPLICATE
You need to log in before you can comment on or make changes to this bug.