> But, if I understand correctly with X.509 handler, users(clients) just > expose X.509 certificate to server and if certificate is valid and trusted > user is authenticated. But I need signed challenge data to verify users > authentication (because of security reasons, anyone can have your > certificate).
You don't simply send the certificate blindly to the server. The certificate is used to perform a client SSL handshake, which naturally involves a signature check using the private key. In the case of a hardware token, the private key never leaves the device; you simply leverage the PKCS11 interface to perform safe operations; one of these is a signature check. I can assure you that using the X.509 handler alone will meet your needs, but possibly with certificate revocation checking. A revocation check ensures that the certificate has been not administratively revoked before its natural expiration. In that case of a revoked cert, the handshake would proceed (meaning client possessed private key), but the server would reject the certificate since it would be identified as revoked (listed on CRL, OCSP, does not exist in LDAP directory containing list of valid certs). M -- You are currently subscribed to [email protected] as: [email protected] To unsubscribe, change settings or access archives, see http://www.ja-sig.org/wiki/display/JSG/cas-user
