On Mon, Jul 13, 2009 at 06:01:02PM +0100, openssl-us...@coreland.ath.cx wrote:
> Hello.
>
> On 2009-07-13 12:15:21, Goetz Babin-Ebell wrote:
> > Do you also control client certificate generation ?
> >
> > With that you could configure the server to only accept client
> > certificates issued by your own CA and set the user name in the client
> > certificates subject name.
> >
> > This way you would only have to store your CA certificate and the CRL
> > for all client certificates that became invalid on the server.
>
> I believe I will be, but what are my options if I don't control
> cert generation?
>
> I think this is why I considered caching copies of client certs
> first of all - I can't verify the identity of an untrusted cert
> but I can at least check that the user presents the same cert
> next time.
>
> > If you accept client certificates issued by foreign (not controlled by
> > you) CAs, you would have to find a way to map between certificate and user.
> > Here would be a mepping from issuer name / serial number of the client
> > cert sufficient...
>
> Right, I'll keep that in mind.
I would use the public-key fingerprint, unless the trust chain is verified
from a fixed set of trusted issuers.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majord...@openssl.org
