> I'm wondering what is the usual criteria for doing client > verification? I've got everything coded to ask the client > for a cert, and I get the cert by calling > SSL_get_peer_certificate(). But I don't know what to check > for to verify the client's identity. Is there some standard > field(s) that are always present in a client certificate that > should be checked for? > Any sample code to read these fields out of an X509* would > also be greatly appreciated.
The 95% answer to questions on this list applies to you -- what is your threat model? What are you trying to prevent? When you say "verify the client's identity", what do you mean? Do you mean: 1) Verify that the client is some one particular person. 2) Verify that the client was authorized by some one particular agent. 3) Verify that we know who the client is, regardless of who specifically he is. Or what? DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
