> > I would use the public-key fingerprint, unless the trust chain > > is verified > > from a fixed set of trusted issuers.
> Did you mean fingerprints instead of caching certs or instead of > issuer/serial? > > xw Instead of anything else. Simply bind the username to the public-key fingerprint. Essentially, treat it as a "hashed" password in the way you store it. Wherever you store the usernames, also store the public key fingerprints. The only tricky part is you need to rig your server to accept a certificate signed by any CA or self-signed or whatever. You don't need to do any other validation of the certificate itself. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
