The whole point of the certificate is that you use it to identify
yourself. To identify yourself, you present your certificate and prove
that it is yours by carrying out the mutual authorization handshaking.
By definition, a certificate should not contain information you wish to
keep private. If you are concerned that your certificate does contain
information you think should be kept private, I suggest you contact your
CA. For the UK e-science CA, the only semi personal info other than the
name of the person is the organisation for which they work.
Linda.
> -----Original Message-----
> From: LHC Computer Grid - Rollout [mailto:LCG-
> [log in to unmask]] On Behalf Of Kyriakos Ginis
> Sent: 30 March 2007 14:17
> To: [log in to unmask]
> Subject: Re: [LCG-ROLLOUT] certificate privacy issues
>
> On Fri, Mar 30, 2007 at 02:47:59PM +0200, Dennis van Dok wrote:
> > Derek Feichtinger wrote:
> > >Hi, Oscar
> > >
> > >The privacy problem is that your certificate is sent to any HTTPS
> server
> > >that you access as part of the handshake.
> >
> > Is this true? If I go to https://www.scientificlinux.org/, I get no
> > pop-up in firefox, while visiting GGUS (http://gus.fzk.de/) asks me
if I
> > want to send my certificate (I could still refuse).
>
> I believe it is not true. The client sends its certificate only if
> requested by the server, when there is the need of mutual
> authentication. This is proved by a simple test like what you did.
Also,
> I quote RFC4346 (The TLS Protocol, Version 1.1). I highlight the
> interesting words:
>
> ------------------------ cut here ---------------------
> 7.4.4. Certificate request
>
>
> When this message will be sent:
>
> A non-anonymous server can *optionally* request a certificate
from
> the client, if it is appropriate for the selected cipher suite.
>
> [snip]
>
> 7.4.6. Client certificate
>
>
> When this message will be sent:
>
> This is the first message the client can send after receiving a
> server hello done message. This message is *only sent if the
> server requests a certificate*.
> ------------------------ cut here ---------------------
>
> SSL v2.0 and v.3 specs are similar.
>
> Anyway Firefox and Konqueror (and I hope IE too) can be configured so
> they ask the user through a pop-up if he accepts sending his
> certificate.
>
> --
> Kyriakos Ginis
|