-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 openssl-us...@coreland.ath.cx wrote: | Hello. Hello xw,
| I'm considering writing a server program (which provides mostly | hypothetical services, for the purpose of this discussion). The server | requires users to register an account on the server before use. The | service would, I believe, simply bind usernames to one or more | user-provided public certificates. | | Also, for the purposes of this discussion, I control both server and | client code. Do you also control client certificate generation ? With that you could configure the server to only accept client certificates issued by your own CA and set the user name in the client certificates subject name. This way you would only have to store your CA certificate and the CRL for all client certificates that became invalid on the server. | I'm not 100% certain how to implement this securely, however. Would the | server cache a copy of each user's public certificate? If you accept client certificates issued by foreign (not controlled by you) CAs, you would have to find a way to map between certificate and user. Here would be a mepping from issuer name / serial number of the client cert sufficient... Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.9 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFKWwk42iGqZUF3qPYRAmSDAJ4isbtXD7Ld1e4uUks4QK27OdsYRgCfYEAu v42WPVuvwEy9NRrFGawBuzU= =fU2t -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
