«

I am authenticating users to a site using client certificates and all is
well
except for a few issues.

#1) Once a browser has been challenged, if the user leaves the site in the
same browser and then returns the browser isn't recallenged even if the
session has expired. Is there a way to force a rechallenge?

#2) If I want to use the certificate to sign some data I'd like the user to
present the password again to their certificate (to avoid the popped to
toilet security scenario), this is for critical processes.

I tried opening up child windows etc however it seems that parent/child
windows share this authentication information by default and I can't see how
to stop that?

Thankx

Shaun Wilde

Hello,

#1) I think IE will display the cached content when you returns and it
doesn't send request to server side. You may disable client cache with:

<META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">

and

Response.Expire = -1

#2) Can you explain more on this issue? I am not clear that why you need
user input the password and why this page cannot be authenticated.

Thanks,

Luke

I'm not sure if you can do #1 with client certificates as that is handled by
the client, not the server. There is a new IE 6 DOM method that allows you
to clear client credentials, but I'm not sure if that works with
certificates and it only supports that browser.

Regarding #2, I don't understand what you mean. Are you trying to sign some
data with the user's private key? To do that, you'll need code running on
their workstation (.NET control or ActiveX). You don't have the user's
private key on the server, so you can't sign anything server side.

Can you explain more?

Joe K.

"Shaun Wilde" <> wrote in message
news:...
>I am authenticating users to a site using client certificates and all is
> well
> except for a few issues.
>
> #1) Once a browser has been challenged, if the user leaves the site in the
> same browser and then returns the browser isn't recallenged even if the
> session has expired. Is there a way to force a rechallenge?
>
> #2) If I want to use the certificate to sign some data I'd like the user
> to
> present the password again to their certificate (to avoid the popped to
> toilet security scenario), this is for critical processes.
>
> I tried opening up child windows etc however it seems that parent/child
> windows share this authentication information by default and I can't see
> how
> to stop that?
>
> Thankx
>
> Shaun Wilde
>
>

#1) I'll give it a try

#2) I wish to sign a document - to do so I need to send the data to the
users browser - and the client will sign it using their client certificate
(if the client ceetificate is protected by a password then the user should
have to enter the password. Why? It is so if the user leaves their terminal
unattended then a malicious user cannot sign it on their behalf as they
would not know the password. Security!!

I just don't know who to do this.


"[MSFT]" <> wrote in message
news:...
> Hello,
>
> #1) I think IE will display the cached content when you returns and it
> doesn't send request to server side. You may disable client cache with:
>
> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
>
> and
>
> Response.Expire = -1
>
> #2) Can you explain more on this issue? I am not clear that why you need
> user input the password and why this page cannot be authenticated.
>
> Thanks,
>
> Luke
>

#1) thanks I'll look into it

#2) I wish to sign a document (actually some XML data) - to do so I need to
send the data to the users browser - and the client will sign it using their
client certificate (if the client certificate is protected by a password
then the user should have to enter the password. Why? It is so if the user
leaves their terminal unattended then a malicious user cannot sign it on
their behalf as they would not know the password. Security!!

I just don't know who to do this.


"Joe Kaplan (MVP - ADSI)" <> wrote
in message news:...
> I'm not sure if you can do #1 with client certificates as that is handled
by
> the client, not the server. There is a new IE 6 DOM method that allows
you
> to clear client credentials, but I'm not sure if that works with
> certificates and it only supports that browser.
>
> Regarding #2, I don't understand what you mean. Are you trying to sign
some
> data with the user's private key? To do that, you'll need code running on
> their workstation (.NET control or ActiveX). You don't have the user's
> private key on the server, so you can't sign anything server side.
>
> Can you explain more?
>
> Joe K.
>
> "Shaun Wilde" <> wrote in message
> news:...
> >I am authenticating users to a site using client certificates and all is
> > well
> > except for a few issues.
> >
> > #1) Once a browser has been challenged, if the user leaves the site in
the
> > same browser and then returns the browser isn't recallenged even if the
> > session has expired. Is there a way to force a rechallenge?
> >
> > #2) If I want to use the certificate to sign some data I'd like the user
> > to
> > present the password again to their certificate (to avoid the popped to
> > toilet security scenario), this is for critical processes.
> >
> > I tried opening up child windows etc however it seems that parent/child
> > windows share this authentication information by default and I can't see
> > how
> > to stop that?
> >
> > Thankx
> >
> > Shaun Wilde
> >
> >
>
>

If you want to sign a document, you will need code running on their
workstation such as an ActiveX control or downloaded .NET control. The
private key exists only on the user's workstation, not on the server.

If your code accesses the private key, the user should be prompted for their
password on the key (assuming the key is password protected). I'm not sure
if this prompting is cached or not, so you would have to test that. Note
that since this code will be independent of the web page, your code will
trigger the request for the key password even if they already entered the
password to view the page with their client certificate.

Joe K.

"Shaun Wilde" <> wrote in message
news:...
> #1) I'll give it a try
>
> #2) I wish to sign a document - to do so I need to send the data to the
> users browser - and the client will sign it using their client certificate
> (if the client ceetificate is protected by a password then the user should
> have to enter the password. Why? It is so if the user leaves their
> terminal
> unattended then a malicious user cannot sign it on their behalf as they
> would not know the password. Security!!
>
> I just don't know who to do this.
>
>
> "[MSFT]" <> wrote in message
> news:...
>> Hello,
>>
>> #1) I think IE will display the cached content when you returns and it
>> doesn't send request to server side. You may disable client cache with:
>>
>> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
>>
>> and
>>
>> Response.Expire = -1
>>
>> #2) Can you explain more on this issue? I am not clear that why you need
>> user input the password and why this page cannot be authenticated.
>>
>> Thanks,
>>
>> Luke
>>
>
>

Ah - I see - I did wonder if it had to be something like that

since however that I'd like to handle all browsers I'd have to
consider a java applet rather than just an IE solution

Do you know of any examples of these in ActiveX and/or Java?

thanks

Shaun Wilde

"Joe Kaplan (MVP - ADSI)" <> wrote
in message news:ezF$...
> If you want to sign a document, you will need code running on their
> workstation such as an ActiveX control or downloaded .NET control. The
> private key exists only on the user's workstation, not on the server.
>
> If your code accesses the private key, the user should be prompted for
their
> password on the key (assuming the key is password protected). I'm not
sure
> if this prompting is cached or not, so you would have to test that. Note
> that since this code will be independent of the web page, your code will
> trigger the request for the key password even if they already entered the
> password to view the page with their client certificate.
>
> Joe K.
>
> "Shaun Wilde" <> wrote in message
> news:...
> > #1) I'll give it a try
> >
> > #2) I wish to sign a document - to do so I need to send the data to the
> > users browser - and the client will sign it using their client
certificate
> > (if the client ceetificate is protected by a password then the user
should
> > have to enter the password. Why? It is so if the user leaves their
> > terminal
> > unattended then a malicious user cannot sign it on their behalf as they
> > would not know the password. Security!!
> >
> > I just don't know who to do this.
> >
> >
> > "[MSFT]" <> wrote in message
> > news:...
> >> Hello,
> >>
> >> #1) I think IE will display the cached content when you returns and it
> >> doesn't send request to server side. You may disable client cache with:
> >>
> >> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
> >>
> >> and
> >>
> >> Response.Expire = -1
> >>
> >> #2) Can you explain more on this issue? I am not clear that why you
need
> >> user input the password and why this page cannot be authenticated.
> >>
> >> Thanks,
> >>
> >> Luke
> >>
> >
> >
>
>

You might try Michel Gallant's web site for samples:

www.jensign.com

My guess is that you'll have a hard time getting this to work with a Java
applet because the Java sandbox probably won't let you have access to the
resources on the machine you need to do the actual work.

Part of what you need to consider with signing is whether you want detached
signatures or CMS/PKCS#7 Signed Data messages with the signature embedded.
Either way though, it will probably be difficult getting this deployed.

Joe K.

"Shaun Wilde" <> wrote in message
news:...
> Ah - I see - I did wonder if it had to be something like that
>
> since however that I'd like to handle all browsers I'd have to
> consider a java applet rather than just an IE solution
>
> Do you know of any examples of these in ActiveX and/or Java?
>
> thanks
>
> Shaun Wilde
>
> "Joe Kaplan (MVP - ADSI)" <> wrote
> in message news:ezF$...
>> If you want to sign a document, you will need code running on their
>> workstation such as an ActiveX control or downloaded .NET control. The
>> private key exists only on the user's workstation, not on the server.
>>
>> If your code accesses the private key, the user should be prompted for
> their
>> password on the key (assuming the key is password protected). I'm not
> sure
>> if this prompting is cached or not, so you would have to test that. Note
>> that since this code will be independent of the web page, your code will
>> trigger the request for the key password even if they already entered the
>> password to view the page with their client certificate.
>>
>> Joe K.
>>
>> "Shaun Wilde" <> wrote in message
>> news:...
>> > #1) I'll give it a try
>> >
>> > #2) I wish to sign a document - to do so I need to send the data to the
>> > users browser - and the client will sign it using their client
> certificate
>> > (if the client ceetificate is protected by a password then the user
> should
>> > have to enter the password. Why? It is so if the user leaves their
>> > terminal
>> > unattended then a malicious user cannot sign it on their behalf as they
>> > would not know the password. Security!!
>> >
>> > I just don't know who to do this.
>> >
>> >
>> > "[MSFT]" <> wrote in message
>> > news:...
>> >> Hello,
>> >>
>> >> #1) I think IE will display the cached content when you returns and it
>> >> doesn't send request to server side. You may disable client cache
>> >> with:
>> >>
>> >> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
>> >>
>> >> and
>> >>
>> >> Response.Expire = -1
>> >>
>> >> #2) Can you explain more on this issue? I am not clear that why you
> need
>> >> user input the password and why this page cannot be authenticated.
>> >>
>> >> Thanks,
>> >>
>> >> Luke
>> >>
>> >
>> >
>>
>>
>
>

Hi Joe

Thanks for the link.

What would be the netscape soluton to this then?

Regards

"Joe Kaplan (MVP - ADSI)" <> wrote
in message news:...
> You might try Michel Gallant's web site for samples:
>
> www.jensign.com
>
> My guess is that you'll have a hard time getting this to work with a Java
> applet because the Java sandbox probably won't let you have access to the
> resources on the machine you need to do the actual work.
>
> Part of what you need to consider with signing is whether you want
detached
> signatures or CMS/PKCS#7 Signed Data messages with the signature embedded.
> Either way though, it will probably be difficult getting this deployed.
>
> Joe K.
>
> "Shaun Wilde" <> wrote in message
> news:...
> > Ah - I see - I did wonder if it had to be something like that
> >
> > since however that I'd like to handle all browsers I'd have to
> > consider a java applet rather than just an IE solution
> >
> > Do you know of any examples of these in ActiveX and/or Java?
> >
> > thanks
> >
> > Shaun Wilde
> >
> > "Joe Kaplan (MVP - ADSI)" <>
wrote
> > in message news:ezF$...
> >> If you want to sign a document, you will need code running on their
> >> workstation such as an ActiveX control or downloaded .NET control. The
> >> private key exists only on the user's workstation, not on the server.
> >>
> >> If your code accesses the private key, the user should be prompted for
> > their
> >> password on the key (assuming the key is password protected). I'm not
> > sure
> >> if this prompting is cached or not, so you would have to test that.
Note
> >> that since this code will be independent of the web page, your code
will
> >> trigger the request for the key password even if they already entered
the
> >> password to view the page with their client certificate.
> >>
> >> Joe K.
> >>
> >> "Shaun Wilde" <> wrote in message
> >> news:...
> >> > #1) I'll give it a try
> >> >
> >> > #2) I wish to sign a document - to do so I need to send the data to
the
> >> > users browser - and the client will sign it using their client
> > certificate
> >> > (if the client ceetificate is protected by a password then the user
> > should
> >> > have to enter the password. Why? It is so if the user leaves their
> >> > terminal
> >> > unattended then a malicious user cannot sign it on their behalf as
they
> >> > would not know the password. Security!!
> >> >
> >> > I just don't know who to do this.
> >> >
> >> >
> >> > "[MSFT]" <> wrote in message
> >> > news:...
> >> >> Hello,
> >> >>
> >> >> #1) I think IE will display the cached content when you returns and
it
> >> >> doesn't send request to server side. You may disable client cache
> >> >> with:
> >> >>
> >> >> <META HTTP-EQUIV="CACHE-CONTROL" CONTENT="NO-CACHE">
> >> >>
> >> >> and
> >> >>
> >> >> Response.Expire = -1
> >> >>
> >> >> #2) Can you explain more on this issue? I am not clear that why you
> > need
> >> >> user input the password and why this page cannot be authenticated.
> >> >>
> >> >> Thanks,
> >> >>
> >> >> Luke
> >> >>
> >> >
> >> >
> >>
> >>
> >
> >
>
>

I'm not really sure. The Java applet thing might still be possible, but you
would need to find a way out of the sandbox I believe. I'm not at all
experienced in that area, so I can't provide much advice.

Is this application designed for internal corporate use? You might have a
lot more deployment options in that scenario than you would have in a
general one. Typically, client certificates only show up in closed
implementations as most people don't have them.

Joe K.

"Shaun Wilde" <> wrote in message
news:...
> Hi Joe
>
> Thanks for the link.
>
> What would be the netscape soluton to this then?
>
> Regards
>
> "Joe Kaplan (MVP - ADSI)" <> wrote
> in message news:...
>> You might try Michel Gallant's web site for samples:
>>
>> www.jensign.com
>>
>> My guess is that you'll have a hard time getting this to work with a Java
>> applet because the Java sandbox probably won't let you have access to the
>> resources on the machine you need to do the actual work.
>>
>> Part of what you need to consider with signing is whether you want
> detached
>> signatures or CMS/PKCS#7 Signed Data messages with the signature
>> embedded.
>> Either way though, it will probably be difficult getting this deployed.
>>
>> Joe K.
>>