"James A. Donald" <[EMAIL PROTECTED]> writes: > > That's a red herring. It happens to use X.509 as its > > preferred bit-bagging format for public keys, but that's > > about it. People use self-signed certs, certs from unknown > > CAs [0], etc etc, and you don't need certs at all if you > > don't need them, <blatant self-promotion>I've just done an > > RFC draft that uses shared secret keys for mutual > > authentication of client and server, with no need for > > certificates of any kind</blatant self-promotion>, so the use > > of certs, and in particular a hierarchical PKI, is merely an > > optional extra. It's no more required in SSL than it is in > > SSHv2. > > I never figured out how to use a certificate to authenticate a > client to a web server, how to make a web form available to one > client and not another. Where do I start? > > What I and everyone else does is use a shared secret, a > password stored on the server, whereby the otherwise anonymous > client gets authenticated, then gets an ephemeral cookie > identifying him.. I cannot seem to find any how-tos or > examples for anything better, whether for IIS or apache. http://www.modssl.org/docs/2.8/ssl_howto.html#auth-simple
-Ekr -- [Eric Rescorla [EMAIL PROTECTED] http://www.rtfm.com/ --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]