On 20 Nov 2010, at 10:19 PM, Rob Lemaster wrote:
Isn't mod_ssl used solely for HTTPS (browser-server encryption)? I would like to use PKI for user authentication like you can in SSH on top of the encryption provided by HTTPS. The most secure option I see available for web authentication currently is OTP tokens (RSA,etc) that only work on one web site.
mod_ssl is used solely for https, yes, but the feature you're looking for is built into https by default already.
Certificates work symmetrically, both sides have the power to require the other side to present a valid certificate.
In the case you might be most familiar with, only one side has a certificate (the server). The other side (the browser) has no certificate. In this scenario, the browser can be sure it is speaking to the right server, because the server presented a signed certificate, but the server has no idea about the browser. Usually, some other authentication mechanism is used to identify the browser, of varying strengths (passwords, etc).
In the case you want however, both sides of the connection are configured to require a certificate from the other side. The certificates do the same job as the keys that are exchanged in your SSH configuration, they allow the other side to say "yup, I trust you", and that trust works both ways.
Unlike an SSH key however, a certificate contains embedded within it details of the person (or thing) that owns the certificate, but these are details as far as the protocol is concerned.
Regards, Graham --
