On Tue, Jul 21, 2009 at 11:22:58AM +0200, Andreas Veithen wrote: > > Well, if not through different stores, how can we let the KeyManager know > > what cert to use for this particular endpoint? > > If I remember well, this is how it works: during the handshake, the > server presents a list of trusted CAs to the client. The client than > selects the certificate that is signed (directly or indirectly) by > that CA and uses that to authenticate. I'm pretty sure this is what > happens when you create a java.net.URL with the https scheme and call > openConnection on it. Since behind the scene this uses an SSLContext, > chances are high that it also works with our HTTPS transport (or that > it would be pretty easy to make it work). > > Of course this only satisfies the requirement if the two endpoints use > different CAs, which should be the usual case. > > Andreas >
Hi Andreas I may be wrong about it but I believe the client can present whatever client cert it pleases. That cert does not _have_ to be signed by one of the trusted CA certs sent to client by the server. For instance, common browsers simply pop up a UI dialog and let you pick any client certificate available in the certificate store, if the server requests client authentication in the course of SSL context negotiation. Oleg > --------------------------------------------------------------------- > To unsubscribe, e-mail: [email protected] > For additional commands, e-mail: [email protected] > --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
