Re: [PHP-DEV] SPKAC support for openssl in PHP

Tue, 18 May 2010 17:23:34 -0700

Moving forwards a lot of authentication will be done in an HTTP friendly stateless manner, namely via HTTPS where the user is identified by client side ssl certificates.
In order to give the user a certificate, you need to generate one, which you can currently do with openssl in php, and provide the user with a pkcs12 certificate+private key to install. 


However, pkcs12 has a security flaw in the the application giving the 
certificates also has the private key. SPKAC addresses this because the 
private key never leaves the users browser, thus it is the preferred 
option - and as mentioned there will be an ever increasing need for this 
in PHP once HTML5 takes off (due to the KEYGEN element which is widely 
supported already) and FOAF+SSL which as I mentioned will be going 
through standardisation in the near future.


Best,

Nathan

Sriram Natarajan wrote:

I am curious as to why you need this feature within PHP. I would
expect that web server administrators typically need such feature but
I am missing the context of it within PHP script engine.

- Sriram

On Tue, May 18, 2010 at 2:05 AM, Nathan Rixham <nrix...@gmail.com> wrote:

Hi All,

Wondering if there is any support for SPKAC [1] in the openssl extension for
PHP?

If not is it planned, and if not can it be? KEYGEN/SPKAC support is growing
in the UA vendors and KEYGEN is part of HTML5, being the preferred way to
generate client side SSL certificates since the private key never leaves the
browser. Further the need for client side certificate generation will be
growing somewhat over the next couple of years thanks to FOAF+SSL - which I
believe is about to start going through standardisation.

At the minute we have to take a rather hacky approach in PHP [2] and it
get's much worse if you want to use x509 v3 extensions, you have to go
through a nasty process of using a bash script to gen a custom openssl.conf
on the fly to use in the SPKAC request.

Best,

Nathan

[1] http://en.wikipedia.org/wiki/Spkac
[2]
http://lists.whatwg.org/pipermail/whatwg-whatwg.org/attachments/20080714/07ea5534/attachment.txt

--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php







--
PHP Internals - PHP Runtime Development Mailing List
To unsubscribe, visit: http://www.php.net/unsub.php























					Reply via email to