On Wed, 3 Dec 2008 01:01:56 -0500, Alan Altmark <[EMAIL PROTECTED]> wrote:
>What sort of information about the SSL session is useful to an app? We >have thrown around the idea of an ibmsockopt or ioctl that would tell th e >app whether or not the session is protected and, if so, by what encrypti on >suite. (The info is available in the Pascal API, but not C.) > >Supporting client-side certificates is only useful (IMO) if you have a w ay >to correlate the client cert to a user ID registry. > >I think that it is safe to say that "soon" would not be an adjective to >use in this case. > >Alan Altmark >z/VM Development >IBM Endicott >======================== ========================= ========== ============== That's a really good question. The developers asked me the same question. I'm not a security expert, so I'm not sure I know the answer. (The developers work for Infor mation Security, but are not a part of IS.) For the particular project we are working on, the "client" was actually a nother server, and the data was userids and passwords. The most important thing they want to do is to make sure the the data was actually encrypted. Otherwise, someone could have changed it, or stolen it. It seems probable that knowing the number of bits of encryption, (128 or 168) would be valuable. Perhaps als o the cipher suite -- but they seem to have multiple names, so that is confusing. They want to use client certificates to be sure the passwords were being sent by one of their own servers, and not some interloper. These are not "personal" ceritificates, and might not appear in a registry. (Or thy might.) They also seemed to want information about all levels of certificate (we have 4). We are out own CA, so they were not interested in the standard certificates built-in to a web browser or server. Beyond that I cannot help, although I could go ask questions. I think we do have a way to correlate userids to client certificates. It might be Active Directory or LDAP based. When we were working on the z/VM 5.3.0 ESP, we were told we D O NOT want to use LDAP, but only Active Directory. But last month I was told we are migrati ng our cMTA (Corporate Mail Transfer Agent) to an "LDAP=based" one. I'm not at all clear what that means. I guess I will go ask. Alan Ackerman Alan (dot) Ackerman (at) Bank of America (dot) com
