RE: Question about auth with client certificates

Gastón Christen Tue, 24 Sep 2002 05:44:16 -0700

-----Mensaje original-----
De: Gastón Christen 
Enviado el: Martes, 24 de Septiembre de 2002 10:00
Para: 'Gregory Stark'
Asunto: RE: Question about auth with client certificates


Ok, I get it. 
But I would be happier if I would be able to authenticate not the
certificate subject, but the public key itself. Maybe I'm not the kind of
people that trust in others to do the job.
Thanks a lot for your help.

Gastón Christen

-----Mensaje original-----
De: Gregory Stark [mailto:[EMAIL PROTECTED]]
Enviado el: Lunes, 23 de Septiembre de 2002 20:35
Para: Gastón Christen
Asunto: Re: Question about auth with client certificates


How can somebody other than you get a certificate from Verisign with your
name in the subject? You have to trust the CA to do this correctly.

That is the essential function of a CA. The signature on the certificate,
say, Verisigns, attests that: "Verisign has done some work to guarantee that
the person named in the subject is in fact that person, and further that
they have access to the private key that matches the public key in this
certificate".

The guarantee is only as good as the amount or quality of checking done by
the CA. Some CAs, like Verisign, have differing levels or grades of
certificate corresponding to more or less strict checks. In general, the
more checking, the more expensive the certficate.

======================
Greg Stark
[EMAIL PROTECTED]
======================


----- Original Message -----
From: "Gastón Christen" <[EMAIL PROTECTED]>
To: "'Gregory Stark'" <[EMAIL PROTECTED]>
Sent: Monday, September 23, 2002 8:47 AM
Subject: RE: Question about auth with client certificates


Hi Gregory, thanks for your answer.
I know the basics of this directive. My doubts are related to the fact that
I'm not sure if the subject of x509 certificate is good enough to
authenticate somebody.

Let's suppose that one of my clients gave me his certificate (for example
one signed by Verisign), then I put his subject in my "passwords file"
(using fakebasicauth).
What stops other people (the bad guys) to obtain a certificate from other
Certificate Authority with the same subject? (and using it to authenticate
in my site, impersonating my client )

(Obviously supposing that both CA are trusted by my ApacheSSL)

I'll really appreciate your explanation.

Gaston

-----Mensaje original-----
De: Gregory Stark [mailto:[EMAIL PROTECTED]]
Enviado el: Viernes, 20 de Septiembre de 2002 18:26
Para: Gastón Christen
Asunto: Re: Question about auth with client certificates


Look at the FakeBasicAuth of the SSLOptions configuration directive. See
http://www.modssl.org/docs/2.8/ssl_reference.html

======================
Greg Stark
[EMAIL PROTECTED]
======================


----- Original Message -----
From: "Gastón Christen" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, September 20, 2002 10:08 AM
Subject: Question about auth with client certificates


> Hi, I'm new in the apache/openssl world and I have a question (maybe it's
me
> but I don't understand something about client certificates authentication
in
> Apache)
> I have Apache 2.40 with openssl 0.9.6g running in my win32 machine without
a
> problem.
> I want to establish an extranet, and let users authenticate with client
> certificates. I set up my config files (httpd.conf & ssl.conf) to do this
> and is working fine.
>
> Here is my problem:
>
> If I trust in (for example) Verisign (putting their certificate in
> SSLCACertificate file) and filter the certificates I accept with some
config
> lines like
>
> #SSLRequire (    %{SSL_CIPHER} !~ m/^(EXP|NULL)/ \
> #            and %{SSL_CLIENT_S_DN_O} eq "Snake Oil, Ltd." \
> #            and %{SSL_CLIENT_S_DN_OU} in {"Staff", "CA", "Dev"} \
>
> How can I be sure that I'm letting in ONLY my extranet users and not
anybody
> else with a certificate signed by Verisign whose DN match my filter?
>
> Is there any way to tell Apache to accept only certain certificates? (not
> necessarily signed by the same CA) (maybe a file with the certificates
> concatenated)
>
> My original intention was to tell my extranet users to request a
certificate
> on their own (with the CA they like the most), and then use those
> certificates to let them in.
>
> Thanks in advance.
>
>
> Gaston Christen
> Internet Technology
> Siemens Itron Business Services
> ______________________________________________________________________
> OpenSSL Project                                 http://www.openssl.org
> User Support Mailing List                    [EMAIL PROTECTED]
> Automated List Manager                           [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
RE: Question about auth with client certificates

Reply via email to
