(No comment was entered for this change.)

(No comment was entered for this change.)

Wan-Teh recommends that this not block the beta.  I agree.  Moving to milestone 4.

Not a blocker for mstone-4 moving to mstone-5

hawk: do you have time in Q4 to work on SSL client authentication
for Mac?

It depends on Mac beta timing, but I'll take the bug.

Are you also considering allow loading pkcs11 modules files like firefox does ? That 
would be very useful since there are just a few smart cards/usb tokens supported natively on mac.

marcelo: We want to use the "native" interface to smart cards.  How
does one configure Safari to use smart cards/USB tokens?

wtc:  Smartcards are all handled by the Keychain (a tokend for each device type).  Its just using the CDSA 
architecture, so if you have an "Identity" you can use that to perform cryptographic functions.  I think Apple even 
provides some convenience API's for doing HTTPS with client auth, though Ive not used those directly. I have 
used the CDSA stuff to write a PKCS11 driver that uses Keychain as the backend; its a bit complicated at first but 
not too terrible after you get a handle on all the parts.

So glad Chrome's using the native OS keystore. Can't wait for Mac client-auth to work.

wtc: sorry for the late answer ... to use usb tokens/smart cards on mac i use SCA 
(http://www.opensc-project.org/sca/). So, you just have to install SCA and start using 
one of the supported smart cards.
That is the issue here, because there are some cards/tokens that are not supported by 
SCA but they offer some PKCS11 modules to be loaded (e.g. Feitian epass 2000). 
Anyway ... maybe this issue is an mac keychain issues instead of a chrome issue.

Replacing labels:
   Area-BrowserBackend by Area-Internals

(No comment was entered for this change.)

Fixing a bulk edit. Looks like the search query was not correct.

(No comment was entered for this change.)

(No comment was entered for this change.)

I could take this at some point — I'm fairly experienced with Keychain and CDSA, though 
not the Chrome network stack.

snej sounds interested, over to him for parity work. P1 for M5.

(No comment was entered for this change.)

I have it working, although so far I've only tested it with a toy SSL server running on my 
machine (Apple's SSLSample.) I'm using the system identity-chooser panel as the UI 
(SFChooseIdentityPanel); currently it comes up modally, but I'd like to make it a per-tab 
sheet.

snej: good progress!

You can test against https://www.myopenid.com/signin_certificate
It requests SSL client authentication over renegotiation (as
opposed to the initial handshake).  You can get a certificate
from that site.

The myopenid URL fails to load because SSLClientSocketMac is misinterpreting the 
status code errSSLServerAuthCompletedFlag as an error and aborting the connection. 
Backtrace is:

#0  net::(anonymous namespace)::NetErrorFromOSStatus (status=-9841) at 
/Volumes/Chromium/src/net/socket/ssl_client_socket_mac.cc:194
#1  0x0747f877 in net::SSLClientSocketMac::DoPayloadRead (this=0x2164790) at 
/Volumes/Chromium/src/net/socket/ssl_client_socket_mac.cc:1022
#2  0x074817de in net::SSLClientSocketMac::OnTransportReadComplete 
(this=0x2164790, result=5) at 
/Volumes/Chromium/src/net/socket/ssl_client_socket_mac.cc:839