Dave Carrigan <dave@rudedog.org> [2003:10:04:15:15:21-0700] scribed: > On Sat, Oct 04, 2003 at 04:25:57PM -0500, Michael D Schleif wrote: > > > OK, this section is what I need -- thank you: > > > > <http://www.modssl.org/docs/2.8/ssl_howto.html#ToC6> > > > > Correct me if I am wrong; but, this is the process? > > > > [1] One (1) Certificate per client/browser authenticates *both* the > > server to the client, and the client to the server; and > > The server will need its own certificate with a CN of the server's > hostname. Yes, of course; but, thank you for pointing it out. > > [2] Each client/browser can have *either* a unique client-specific > > Certificate, or each client/browser can have a Certificate _common_ to a > > group, for purposes of authentication in point [1]. > > I suspect that you would be better off generating a certificate for each > client, but that probably depends on your requirements. OK > > [3] Will we need to become our own Certificate Authority, or would this > > work just as well with self-signed Certificates, and without any upline > > authority? > > You will need to be a CA, and the both the server cert and the clients' > certs will need to be signed by that CA. In addition, the server config > needs to point to the CA's cert so that it can verify the clients' > certs. Yes, this is the kind of detail that I did not guess. While on this subject, what do you recommend for us to become a CA? `apt-cache search certificate' shows only pyca -- is that adequate? What are the considerations for becoming a CA? > The clients should have the CA's cert installed as well or else each > client will complain when they connect because they don't recognize the > server's certificate signer. This isn't strictly necessary, as long as > your users can be trained to permanently accept the unknown cert the > first time they connect. > > Note that all this could become very onerous if your application isn't > targeted at a closed group of users (i.e., it's something on the > Internet). The point is to allow only a select group access to the application; access which may or may not go across the Internet. One level of security would be this passive approach, whereby if the client does not present an acceptable certificate upon connection to the server, the server will not respond to the client's requests with access to the application. If the client presents an acceptable certificate, then the server will invoke other access and authentication processes. Thank you, for your insightful responses . . . -- Best Regards, mds mds resource 877.596.8237 - Dare to fix things before they break . . . - Our capacity for understanding is inversely proportional to how much we think we know. The more I know, the more I know I don't know . . . --
Attachment:
pgpWUQmPPkPX5.pgp
Description: PGP signature