--On August 19, 2011 12:21:14 +0100 Alexey Melnikov <alexey.melnikov@xxxxxxxxx> wrote:
Hi Chris, My personal replies are (without consulting with Mykyta): Chris Newman wrote:From a technical viewpoint, I have two suggestions:Add to section 2.1:Servers that lack configuration to accept an X.509 client certificate
for
authentication purposes MUST NOT send a CertificateRequest handshake to
the client
during TLS negotiation.I am wondering whether this is actually possible to enforce using existing TLS stacks. I would rather not make this a MUST NOT level requirement if there are no APIs for this in, for example, OpenSSL.
I'd be fine with a SHOULD NOT.It's an important usability issue -- many clients pop up an intrusive "certificate selection dialog" if the server asks for a certificate. The NSS APIs support this check although the APIs to do so are difficult to use and non-obvious (you have to search for a cert with a client-certificate CA trust flag in the certificate db).
- Chris