On 27/04/12 03:34 AM, Thierry Moreau wrote:
A question for those who follow PKI usage trends.
Is there a list of CAs that issue X.509 end-user certificates?
Hmm.... client-certs as opposed to server-side certs. The answer is
"most" but as it is a very low value faux-loss-leader business, nobody
cares much about it, certainly not enough to track it as far as I know.
Here is the rationale for the question:
If an end-user has a certificate, he (more or less consciously) controls
a private key. Suppose one deploys a web server that cares *only* about
end-user public keys, e.g. it keeps track of end-user reputation and
that's it for trust management. Then any type of certificate is good
enough (self-signed, auto-issued, issued by a regular
"client-cert-issuing CA").
Yes, this is what I do with a site of mine. Anyone with a client-cert
can connect and play. That's it. You can read some sort of intro about
the background here:
http://wiki.cacert.org/Technology/KnowledgeBase/ClientCerts/theOldNewThing
But what we lack is a how-to of all the decisions.
This web server can have an immediate potential user base if it
negotiates the TLS session with a long list of CA distinguished names
(in the CertificateRequest message).
ah. In my work, I have discovered that it is far better to turn off all
decision making in the TLS/apache side, to simply set the cert request
to optional and pass the result in variables to the application.
SSLVerifyClient optional
SSLOptions +StdEnvVars +FakeBasicAuth +ExportCertData
SSLUserName SSL_CLIENT_S_DN_Email
Then, in the application code, read all the cert variables and make an
application level decision.
The management tools for the contemplated web server scheme would
include an issuer DN extraction utility from end-user or CA certificates
so that the list may be augmented based on casual observations. Also,
the SSL debugging tools will report the contents of CertificateRequest
messages from public servers supporting client certs.
Anyone went through such data collection before?
Well, to the extent above. My db has a table for all certs, and a table
for all users, with a join by cert identifiers between the two tables.
Thanks in advance.
iang
_______________________________________________
cryptography mailing list
[email protected]
http://lists.randombit.net/mailman/listinfo/cryptography
