Hi Andreas > That is possible, but it is only relevant for a scheme where the > consumer of the service creates a certificate himself (typically a > self-signed certificate) and somehow registers that with the provider > of the service. This implies that the provider has to manage a list of > recognized client certificates to authenticate the client. I don't > think that is a usual scheme for Web services (BTW, how would you do > that with Axis2?), but that it is more usual for the provider to issue > certificates to the consumer, so that authentication is based on the > signature on the client certificate. But again, this is a question > about the requirements. > See : http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=/com.ibm.itim.infocenter.doc/cpt/cpt_ic_security_ssl_authent2way.html
"Two-way SSL authentication is also referred to as client authentication because the application acting as an SSL client presents its certificate to the SSL server after the SSL server authenticates itself to the SSL client." The client must decide and send its identity certificate to the server once the server has been authenticated. In this case, if the same client needs to talk to Customer A and Customer B - where both uses their own CA's and gives custom client identity certs to the client to use when talking to them, the client now has to pick the correct one to be used - depending on who it is talking to. Its like having a university ID card and a public library ID card. You can carry both, but must show the correct one depending on where you are going. I've come across this situation many years back when a large US firm had to talk to multiple 3rd parties, and this is a real issue that is common and needs to be solved. cheers asankha -- Asankha C. Perera AdroitLogic, http://adroitlogic.org http://esbmagic.blogspot.com --------------------------------------------------------------------- To unsubscribe, e-mail: [email protected] For additional commands, e-mail: [email protected]
