-
Notifications
You must be signed in to change notification settings - Fork 8
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
TLS-CCA not working #68
Comments
Where did you get this conclusion? |
I came to this conclusion based on my experience while using the installer on macOS Sonoma (version 14). Here's what happened: I installed the package from id.ee I tested it with both Safari and Chrome browsers, but neither browser prompted me for a client certificate when trying to authenticate. The server returned an error during the authentication process. I then installed OpenSC, and after that, both Safari and Chrome started prompting for a client certificate, and authentication worked correctly. Based on this behavior, it seems that the package might be missing something that OpenSC provides, which enables TLS-CCA to work properly. I hope this helps clarify my concern. Please let me know if you need more information or if there's something else I should try. |
Seems like the esteid-ctk-tokend extension is not loaded or misbehaves. |
Additionally, I tried to find more information on TLS-CCA, particularly a public testing page, but I couldn’t locate anything specific. I found some details on the ID.ee website, but it only mentions Web eID and doesn’t provide any guidance on testing TLS-CCA. |
I initially looked into this because I’ve been hearing more and more complaints from Mac users saying that the ID-card simply doesn't work, and that the software from RIA is often described as "not working for me TM". Unfortunately, I don’t have the capacity right now to fully debug the issue or to compare why OpenSC works right out of the box while the EsteID solution does not. However, I did notice that OpenSC was last updated in 2024, whereas EsteID was updated in 2022. This difference in release dates might (or might not) be a factor. |
TLDR;
Description: The current version of the "osx-installer" repository does not include support for TLS-CCA (TLS client certificate authentication).
What is TLS-CCA? TLS-CCA is a certificate-based authentication method that is useful for services with strict security requirements, such as e-services where state secrets are stored. This method is an alternative to Web eID, which is recommended for general personal identification with an ID-card in e-services.
Why is this important? For high-security environments, TLS-CCA is still a preferred solution. According to the security analysis by Cybernetica AS, while Web eID offers a user-friendly option, TLS-CCA is recommended for e-services with stricter security needs. The current installer package only seems to support the Web eID solution but is missing the important option for TLS-CCA.
Expected Behavior: The installer should include support for TLS-CCA, along with Web eID, to offer users the option to use TLS-CCA for personal identification with ID-cards in high-security e-services.
The text was updated successfully, but these errors were encountered: