Secure Sockets Layer (SSL) is a protocol that provides security for communications over networks such as the Internet. In SSL, sessions are used to describe an ongoing relationship between a server and a client. Sessions are created, or rejoined, as part of the SSL handshaking protocol. During an SSL handshake, a server can request authentication from a client to ensure that the content of the server is accessed by an authorized user. Some servers require successful client authentication; otherwise a SSL connection can be terminated. Some servers request, but do not require successful client authentication and can exchange data with a client.
A client can respond to an authentication request with a ‘no certificate’ message or a digital certificate issued by a Certificate Authority. The server can determine whether the client certificate is valid and whether it is signed by a Certificate Authority which the server trusts. Once the SSL handshake is completed and client authentication has been successfully established, access restricted content can flow encrypted across that SSL session between the client and the server. I client authentication was not required by a server and a certificate was not submitted by a client or a certificate was not valid, unrestricted data can be exchanged between the client and the server.
Typically, when a server requests authentication from a client, a browser on the client prompts the user for a certificate. Today's popular Internet clients provide only minimal support for a user in selecting a certificate, either a ‘once-per-session prompt,’ an ‘ask-every-time prompt,’ or an ‘automatically select’ configuration. Each can be inconvenient and insufficient because a user may desire to change the certificate used for a session, or the set of available certificates may change during a session.
Client applications that are configured to ask-every-time can search for a user's certificates and prompt the user to select a certificate, even if the user has only one certificate. If the application does not find a certificate that meets a server's criteria, for example, there is not a certificate issued by a Certificate Authority that is trusted by the server, the client application can send a ‘no certificate’ message to the server. Similarly, client applications that are configured to automatically select a certificate can determine if the user has a certificate that meets the server's requirements. If the application does not find a certificate that meets a server's criteria, the application sends a ‘no certificate’ message to the server. Other client applications may be configured for a once-per-session prompt. Such applications prompt a user for a certificate selection and remember which certificate a user has selected for client authentication for a particular website. A user does not have to select a client authentication certificate again if the user revisits the website during the same session. The applications, however, prompt a user for a certificate selection even if the user does not have any certificates. In such a case, these applications prompt the user to select a certificate from an empty dialog box.
Prompting a user to select a certificate, even if a user does not have any certificates, can continually inconvenience a user. In addition, a user may decide to change the client authentication for a session, but does not have any means to implement authentication configuration changes. For example, a server may request, but not require client authentication, and a user may decide to not submit a certificate or may mistakenly select an invalid certificate. The result is an unauthenticated session between a client and a server where unrestricted data may get exchanged during the session. During the session, the user may decide to use client authentication. However, once the client authentication for a session has been configured, applications do not provide a user with any mechanism to change the configuration without disrupting a session. Applications today, instead, may require the user to close all open application windows and open a new application window, or require the user to manually clear the application's SSL certificate cache.
Moreover, applications today display an icon to show that a server has been authenticated. For example, a browser can display a security icon (such as “closed padlock”). However, applications do not provide any visual feedback to indicate whether or not client authentication is being used for a session.