Still no response :-(
Could someone please help me clarify my doubts?
thanks,
~ Urjit
- Original Message -
From: Urjit Gokhale [EMAIL PROTECTED]
To: openssl-users@openssl.org
Sent: Thursday, May 24, 2007 4:28 PM
Subject: Re: Certificates, users and machines
Thanks for your reply.
I
Hello,
I would like to have your opinion on one scenario, and my approach to
provide needed functionality:
1) I have a server that listens to connection requests from the clients over
the internet (meaning anyone and everyone who knows my ip/port can send me
connection request. I am not
Urjit Gokhale wrote:
It seems that you are making the common mistake of conflating authentication
with authorization. Certs are useful in binding pubkeys to identities and
subsequently in verifying possession of the private key by being able to
perform decryption.
The SSL protocol has
... is it necessary to
issue ONE certificate to EACH individual.
Yes. The problem of granting access based on membership in a
group is an authorization problem.
Correct.
This doesn't have
anything to do with certificates -- permissions and roles
change independently of binding
Mouse wrote:
I.e. for the sake of the argument identity
Michael may have an attribute employee of Tenebras, and another
attribute permitted access to dev repository A12.
Well, the Subject Distinguished Name should have the Organization,
but I strongly disagree with you if you think access
Thank you very much for the response.
For both the responses I got, it looks like the server need to access the
information (whether identity or attribute or whatever) present in the
certificate
and use that to decide the permissions for the peer that represented this
certificate.
Is my
On 2007.05.25 at 08:16:19 -0400, Mouse wrote:
I'm driving at Attribute Certificates. They are supposed to have shorter
life than identity certs, but still long enough to be usable.
I've seen project to add attribute certificates to OpenSSL.
http://openpmi.sourceforge.net/
You can try to
Well, the Subject Distinguished Name should have the
Organization...
Can you envision long-lived certs issued by gov't - like passports? In that
case, Organization would not have the same semantics. But this is less
relevant for our discussion.
...but I strongly disagree with you if you
For both the responses I got, it looks like the server need
to access the information (whether identity or attribute or
whatever) present in the certificate and use that to decide
the permissions for the peer that represented this certificate.
Is my understanding correct?
Partially so. An
and you've just multiplied your public key computation
load by a factor of three of four.
No, you merely double it. One - check that the identity cert is
valid, two
- that the attribute cert that *you* are interested in (out of a
dozen that
may be attached to this identity cert) is OK.
]
To: openssl-users@openssl.org
Sent: Wednesday, May 16, 2007 4:45 PM
Subject: Re: Certificates, users and machines
A certificate binds the public key of a public/private (asymmetric)
key pair with additional information.
A certificate is trusted by some trusting authority. In most cases
Hello everyone,
I have some doubts about certificates, which I wish to get clarification on.
Here is my understanding about certificates:
* Certificates bind the public key with some other information like the name of
the owner(user), who generated the certificate, the validity period etc.
*
A certificate binds the public key of a public/private (asymmetric)
key pair with additional information.
A certificate is trusted by some trusting authority. In most cases,
this is a certifying authority (CA) -- and the asymmetric signature
by the CA is an assertion that the CA believes
On 2007.05.16 at 16:03:38 +0530, Urjit Gokhale wrote:
Hello everyone,
I have some doubts about certificates, which I wish to get clarification
on.
Here is my understanding about certificates:
* Certificates bind the public key with some other information like the
name
I hope this information helps.
-Kyle H
Thank you for your response and information about the proxies.
I now have a feeling that to write a verification callback function, I will
need to
retrieve the information stored in the certificate that the peer has sent
to me.
If you want
15 matches
Mail list logo
