Andrew, that's a good thought. I'm not knowledgeable enough to tell whether it is perfect from a cryptographic point of view or not.
FWIW though, that is not how X.509 standard client authentication works. It works the way I described, in accordance with RFC 5246 7.4.6. Passwords work, and are obviously THE most common form of client authentication. I think a primary usage of client certificate authentication is with unattended processes. (Think z/OS jobs!) There is no one available to key in a password, and passwords stored in files make the auditors very cranky. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Andrew Rowley Sent: Thursday, August 29, 2019 6:38 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: vendor distributes their private key On 29/08/2019 9:18 am, Charles Mills wrote: > But for certificate-based client authentication, the server admin must send > the client admin a client certificate AND its private key. Why? > Philosophically, because a client certificate signed by a trusted CA does not > prove the authenticity of the client. A man-in-the-middle might have > previously intercepted the certificate and now be sending it out from HIS > client as its own. This doesn't sound right somehow. I suspect it is often implemented that way, but it sounds worse than password authentication with a good password. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
