why can't we just import the certificate of the client application for a SSL check from the CAS server to the client application ? To avoid of course that the CAS server trusts all certificates certified by Verisign or another certification entity...
That would be an acceptable solution with respect to security. From an operational standpoint, it seems as untenable as managing keys for each peer. The vast majority of certificates expire annually or biannually, which would require substantial communication and maintenance costs for a non-trivial deployment. In practice no one does certificate trust on a per-certificate basis for this reason.
You might consider a facility like Shibboleth metadata where each service is responsible for maintaining its own certificate or other data needed to provide strong identity assurance. That scales much better by distributing the maintenance burden among N peers. On balance it's probably more work than what would be feasible for the 4.0 release.
M -- You are currently subscribed to cas-dev@lists.jasig.org as: arch...@mail-archive.com To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-dev
