Shaun Lipscombe wrote:
<>[...] One last question... it's to do with client certificates. If I have two websites, say, and they both require client certificates signed by the CA "ABC. Ltd" there is nothing stopping a client certificate being used for authorization to access both sites even though those two sites may not be aware of each other. Is it up to the webserver to go through the certificate, once its been shown as being valid, and seeing whether access should be granted or is there something I've missed. I created two sites that have a CA "in common" in its acceptable CA list and I can now access both sites with the same certificate. What can I do to avoid such a circumstance?
You should not mix up the fact "The user has a valid certificate" and "The user has access to something".
If you trust a CA it implies that you trust it insofar that it only signs a certificate request containing the CN "Charlie Brown" if it is sure that the request was indeed submitted by the correct "Charlie Brown".
Or to give you another example, this mail should contain a valid signature of "Bernhard Froehlich", certified by Thawte. So you can be reasonably sure that I indeed own an official document stating that I'm really "Bernhard Froehlich". It does not say that I have any knowledge of OpenSSL or something... ;)
It's your job to configure your webserver so that someone with a correct certificate for "Charlie Brown" does have access and someone presenting a valid certificate for "Evil Guy" has not. This admittedly is not so simple most of the time, but is a problem of the webserver, and not of SSL. If you wand to go deeper in that subject please contact me directly.
<>Shaun [...]
Kind regards, Ted ;)
-- PGP Public Key Information Download complete Key from http://www.convey.de/ted/tedkey_convey.asc Key fingerprint = 31B0 E029 BCF9 6605 DAC1 B2E1 0CC8 70F4 7AFB 8D26
smime.p7s
Description: S/MIME Cryptographic Signature
