Hello, I've got what's probably some pretty basic questions on SSL, but I can't find an answer anywhere I've looked! We're setting up a system where we will require the use of client side certificates. Does there need to be some relation between the server and the client's certificates? That is, do they need to be signed by the same CA? Is this an SSL issue? or is this an implementation issue? (mod_ssl) Also, we're planning to use Identrus (www.identrus.com) certificates when they are ready. Identrus IDs are hardware based, so that changes things quite a bit. Does anyone know what the plans are (if any) for Identrus support on Netscape and MSIE? Also, I understand that Identrus will require a "validation" service to authenticate the user. That is, presentation of an Identrus ID is not enough. I know that some cryptography vendors are coming out with plugins to "Identrus'ify" IPlanet and MS IIS. I'm not sure how this really works, since the browsers don't have Identrus support yet. Is there any plans for something similar for mod_ssl? And last but not least: We need to implement some mechanism for non-repudiation in the system. Users will be filling forms and posting the to the Web app. We're looking at using Acrobat PDF forms for this. Unfortunately, Acrobat PDF forms do not support signing of the submitted data. (yet?) That means that we need to use some alternate mechanism. Also related: we have to consider that signing the posted data is not good enough for non-repudiation, since you need to be able to prove that the form itself hasn't changed from the one that was signed. (not an issue with paper) So.. our current idea is to use FDFMerge from "Digital Applications, Inc" (http://www.digapp.com/newpages/fdfmerge.html) to merge the filled in data to the form itself, generating a final PDF, and then have the Web application "sign" that resulting PDF document. I can't think of a way to have the browser do the signing, so we're trying to figure out a mechanism to "stamp" the resulting PDF with some client certificate info when the user clicks on a "sign" button on the form. Fortunately the new law is vague enough so that some approach like this one may be valid. Does mod_ssl offer something we might be able to use for doing this? Thanks --G ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
