Jeffrey Altman wrote:
>
> > >What is the purpose of global CAs such as
> > >Verisign if I can't trust the certificates to identify an end user?
> >
> > That is indeed the question. At least the part before the "if" :)
> >
> > At least now you can have a single value (subject,issuer,serial#)
> > to map "global identity" (sic) into local credentials. If you
> > think that any random cert signed by any random CA can be trusted
> > by your local programs.
> >
> > In many cases globally-scalable identities have to be mapped down
> > into a smaller ID space -- e.g., a 32bit Unix userid.
> >
> > There's no magic bullet here.
> > /r$
>
> I'm not looking for a magic bullet. What I am looking for is a method
> to package and distribute clients and servers that will work out of
> the box. And the answer is, that if you want to do client auth with
> PKI then you can't. You need to modify the code to support whatever
> local system is in use for certificate to ID mapping.
That's simply not true. There's plenty of other ways to do it (e.g.
trust certain CAs, or add attributes to the certs).
> What this says to me is that Client Auth should not be a part of
> SSL/TLS and that the client auth protocol should be built on a higher
> layer. Whether that client authentication layer be PKI based or
> something like Kerberos, Secure Remote Password, SecureID, OTP, or
> something else.
What it says to me is that client auth is non-trivial and has to be
handled in a way appropriate to the environment. Sometimes what TLS/SSL
provides is sufficient. Sometimes it needs supplementing. Sometimes it
isn't the right thing at all. Moving it to a higher layer removes the
possibility of using the first two, which really is a step backwards.
Cheers,
Ben.
--
http://www.apache-ssl.org/ben.html
"My grandfather once told me that there are two kinds of people: those
who work and those who take the credit. He told me to try to be in the
first group; there was less competition there."
- Indira Gandhi
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
