[Date Prev][Date Next] [Thread Prev][Thread Next] [Date Index] [Thread Index]

Re: Limiting access to website ???

Dave Carrigan <dave@rudedog.org> [2003:10:04:15:15:21-0700] scribed:
> On Sat, Oct 04, 2003 at 04:25:57PM -0500, Michael D Schleif wrote:
> > OK, this section is what I need -- thank  you:
> > 
> >    <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6>
> > 
> > Correct me if I am wrong; but, this is the process?
> > 
> > [1] One (1) Certificate per client/browser authenticates *both* the
> > server to the client, and the client to the server; and
> The server will need its own certificate with a CN of the server's
> hostname.

Yes, of course; but, thank you for pointing it out.

> > [2] Each client/browser can have *either* a unique client-specific
> > Certificate, or each client/browser can have a Certificate _common_ to a
> > group, for purposes of authentication in point [1].
> I suspect that you would be better off generating a certificate for each
> client, but that probably depends on your requirements.


> > [3] Will we need to become our own Certificate Authority, or would this
> > work just as well with self-signed Certificates, and without any upline
> > authority?
> You will need to be a CA, and the both the server cert and the clients'
> certs will need to be signed by that CA. In addition, the server config
> needs to point to the CA's cert so that it can verify the clients'
> certs. 

Yes, this is the kind of detail that I did not guess.

While on this subject, what do you recommend for us to become a CA?
`apt-cache search certificate' shows only pyca -- is that adequate?
What are the considerations for becoming a CA?

> The clients should have the CA's cert installed as well or else each
> client will complain when they connect because they don't recognize the
> server's certificate signer. This isn't strictly necessary, as long as
> your users can be trained to permanently accept the unknown cert the
> first time they connect.
> Note that all this could become very onerous if your application isn't
> targeted at a closed group of users (i.e., it's something on the
> Internet).

The point is to allow only a select group access to the application;
access which may or may not go across the Internet.  One level of
security would be this passive approach, whereby if the client does not
present an acceptable certificate upon connection to the server, the
server will not respond to the client's requests with access to the

If the client presents an acceptable certificate, then the server will
invoke other access and authentication processes.

Thank you, for your insightful responses . . .

Best Regards,

mds resource
Dare to fix things before they break . . .
Our capacity for understanding is inversely proportional to how much
we think we know.  The more I know, the more I know I don't know . . .

Attachment: pgp1oHQob0His.pgp
Description: PGP signature

Reply to: