Anton, Thanks for your support. I do want to caution your enthusiasm for the browser support. I believe that all current production browsers implement the feature you found using HTTP-authentication, not TLS/SSL. Trying to create a user interface for this complex concept can't be easy, and the prevailing reason to use client certificates was for user authentication. Thus they took the most logical short-cut.
It is my understanding that IE7 will have true TLS/SSL client-certificate authentication. It is also my understanding that firefox current 1.5 has TLS/SSL client-certificate authentication. I had seen test results that indicated this was true. http://www.mozilla.org/projects/security/pki/nss/results.html I have not been able to confirm this personally. John -----Original Message----- From: Anton Okmianski (aokmians) [mailto:[EMAIL PROTECTED] Sent: Wednesday, October 26, 2005 1:44 PM To: Tom Petch; Moehrke, John (GE Healthcare); [EMAIL PROTECTED] Subject: RE: Why not TLS was Re: [Syslog] Secure substrate - need your input > TLS does support mutual node authentication. The healthcare > world has been using mutual-node-authenticated-TLS for over > three years. We use it often to ensure that a X-Ray device is > actually talking to the Picture Archiving Service. Both > systems need to know that they are talking to the right > 'other' system. This transaction doesn't need to have user > authentication as the process is fully automated. Indeed we > don't always turn on TLS encryption. But we do always do > mutual-authentication. Yes this means that there is a X.509 > certificate managed for both nodes. But this certificate > management is not nearly as complex as person-certificates > (another discussion we can have on miss-understandings due to > the wrong questions being asked). > > Tom- this one puzzles me. SSH has got server and client > authorisation defined in the I-Ds, soon to be RFCs. Reading > the TLS I-Ds I see no sign of client authorisation and since > that is a must for SNMP, then the note I quoted earlier, to > the isms list, saying that SASL would needed alongside TLS > made perfect sense (as I would expect since it came from the > Security AD:-). So where does mutual authentication come > from? What RFC or I-D defines it? Is it a proprietary > extension? Is it two simplex transmissions with only server > authentication? > Sometimes it does matter to know what goes on under the > covers. (Of course, if client authentication is not needed > then this is academic). Client auth is a fundamental feature of TLS. It is all over the TLS RFC: http://www.faqs.org/rfcs/rfc2246.html Search it for "client authentication" or "client certificate". There are whole sections on it. It is part of the initial SSL/TLS setup. Server may require client-auth if configured so. If you don't believe that it is deployed, open you browser security settings. John mentioned that not all browsers supports client certs for SSL/TLS. Well... At least IE, Netscape, Firefox support it and had for some time. In fact, they have pretty advanced features around client certs. For example, you can use a different client cert with different sites. The real question IMO, again, is whether or not symmetric auth (password / shared secret based) is considered important. SSH has it. TLS does not. If client certs are acceptable to people, then TLS is a perfect solution. I think certificate-based infrastructure is more secure and easier to manage in the end. No interactive user auth is needed for syslog, as John mentioned. And if you store passwords instead of having user type them in, then you are really only one-step away from using certs. Thanks, Anton. > > <snip> > John > > > > _______________________________________________ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog > > > _______________________________________________ > Syslog mailing list > Syslog@lists.ietf.org > https://www1.ietf.org/mailman/listinfo/syslog > _______________________________________________ Syslog mailing list Syslog@lists.ietf.org https://www1.ietf.org/mailman/listinfo/syslog
