There are two things you need to do: authenticate and then authorize. C-Kermit provides hooks to organizations in the form of two functions:
X509_to_user() - who does this certificate represent X509_userok() - may the user gain access with this certificate C-Kermit provides two implementations by default. One that maps the UID to the user; and the other that maps the Alt-Name to the user. http://www.kermit-project.org/security.html#xa3.11.2 However, you do not have to trust the certificate subject. If you want you can have the owner of the certificate submit the certificate to you out of band. You can then store in a database or directory the certificate (or its fingerprint) and associate that with a username. When the SSL handshake has successfully completed, grab the certificate, look it up in the database or directory and then use the username you have stored. This is what is done at Universities that do not want to put any personal information into the certificates. > > Ok, I get it. > But I would be happier if I would be able to authenticate not the > certificate subject, but the public key itself. Maybe I'm not the kind of > people that trust in others to do the job. > Thanks a lot for your help. > > Gastón Christen Jeffrey Altman * Sr.Software Designer Kermit 95 2.0 GUI available now!!! The Kermit Project @ Columbia University SSH, Secure Telnet, Secure FTP, HTTP http://www.kermit-project.org/ Secured with MIT Kerberos, SRP, and [EMAIL PROTECTED] OpenSSL. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
