Hakan Tandogan wrote:
> We are designing a Web-bases application that will use client
> certificates as an alternate possibility of authentification. There seem to be
> xxx options.
>
> First, we could create our own CA and assign the users self-generated
> certificates. This has the drawback that the user get all those warning dialogs
> (our user will most likely be the non-technical, easy-to-panic type).
You mixing up server certificates with client certificates.
If you give yourself a self-generated certificate and install it on your
server, then yes - your easy-to-panic client browsers will throw
warnings all over the show, as they should, because their browsers do
not trust you or the authority (also you) that signed your certificate.
In the case of the client certificates it's all the other way round. If
any warnings will be thrown, it will be your server that starts to shout
and scream (in the form of denying access to clients). But then your
server is completely under your control and your trust, and you will
tell your server to trust all certificates signed by you anyway, so
there is no problem.
> Another possibility would be to have them get certificates from, say,
> thawte. We would map those certificates to our internal database. Downside: the
> users will have to go to another server they possibly know nothing about.
> Remember that they are most likely non-technical people.
Companies like Thawte offer to issue client certificates for people who
do not want to do the job themselves, either because they don't want to
understand the process, or because they don't trust themselves to do the
job properly.
It is quite possible (and recommended if you're paranoid) to generate
and issue the certs yourself. You trust yourself, after all. It's the
most secure way.
But - it's only secure if you approach the issuing of the certificates
properly. If you cert-generating equipment is left unprotected, or if
you do not verify the identity of the people you hand your certs out to,
then all security is lost.
Regards,
Graham
--
-----------------------------------------
[EMAIL PROTECTED] "There's a moon
over Bourbon Street
tonight...
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
