TLS-CCA not working #68
Comments
Where did you get this conclusion? |
|
I came to this conclusion based on my experience while using the installer on macOS Sonoma (version 14). Here's what happened: I installed the package from id.ee I tested it with both Safari and Chrome browsers, but neither browser prompted me for a client certificate when trying to authenticate. The server returned an error during the authentication process. I then installed OpenSC, and after that, both Safari and Chrome started prompting for a client certificate, and authentication worked correctly. Based on this behavior, it seems that the package might be missing something that OpenSC provides, which enables TLS-CCA to work properly. I hope this helps clarify my concern. Please let me know if you need more information or if there's something else I should try. |
|
Seems like the esteid-ctk-tokend extension is not loaded or misbehaves. |
|
Additionally, I tried to find more information on TLS-CCA, particularly a public testing page, but I couldn’t locate anything specific. I found some details on the ID.ee website, but it only mentions Web eID and doesn’t provide any guidance on testing TLS-CCA. |
|
I initially looked into this because I’ve been hearing more and more complaints from Mac users saying that the ID-card simply doesn't work, and that the software from RIA is often described as "not working for me TM". Unfortunately, I don’t have the capacity right now to fully debug the issue or to compare why OpenSC works right out of the box while the EsteID solution does not. However, I did notice that OpenSC was last updated in 2024, whereas EsteID was updated in 2022. This difference in release dates might (or might not) be a factor. |
TLDR;
Description: The current version of the "osx-installer" repository does not include support for TLS-CCA (TLS client certificate authentication).
What is TLS-CCA? TLS-CCA is a certificate-based authentication method that is useful for services with strict security requirements, such as e-services where state secrets are stored. This method is an alternative to Web eID, which is recommended for general personal identification with an ID-card in e-services.
Why is this important? For high-security environments, TLS-CCA is still a preferred solution. According to the security analysis by Cybernetica AS, while Web eID offers a user-friendly option, TLS-CCA is recommended for e-services with stricter security needs. The current installer package only seems to support the Web eID solution but is missing the important option for TLS-CCA.
Expected Behavior: The installer should include support for TLS-CCA, along with Web eID, to offer users the option to use TLS-CCA for personal identification with ID-cards in high-security e-services.
The text was updated successfully, but these errors were encountered: