Hi:
I am working on securing a webservice front-ended by the Apache webserver.
It is possible that in this application the requirements will be :
(1) Clients be authenticated using a password they enter using a form that is secured using https. For this I am planning to download mod_ssl and get a certificate from Versign/Thwate. I have the information I need to enable this [documentation avail on the net].
(2) Once the client is verified, then it is possible that subsequent interactions of that client will include 'getting' documents from this website. The only caveat is: It is possible that once signed in, the exchange between the client/server will require no encryption, but only a digital signature to guarantee that the document has not been tampered with.
My question relates to (2). Is it possible to set up mod_ssl + apache configuration that the sign-
in of
the client happens using a form enabled over https [contents are encrypted]. But subsequent interactions of an authenticated client do not suffer encryption while simultaneously providing a digital signature guarantee [hence ensuring that the document is tamper-proof]? so basically- I am asking
2.1) is it possible to turn on signing while disabling encryption?
2.2) Is this possible to do over one webserver using virtual hosts or will I need more than one instance of the service?
Thanks in advance.
Arjun Khanna.
Relax. Yahoo! Mail virus scanning helps detect nasty viruses!
