On Mon July 13 2009, David Schwartz wrote: > > > > I would use the public-key fingerprint, unless the trust chain > > > is verified > > > from a fixed set of trusted issuers. > > > Did you mean fingerprints instead of caching certs or instead of > > issuer/serial? > > > > xw > > Instead of anything else. Simply bind the username to the public-key > fingerprint. Essentially, treat it as a "hashed" password in the way you > store it. Wherever you store the usernames, also store the public key > fingerprints. > > The only tricky part is you need to rig your server to accept a certificate > signed by any CA or self-signed or whatever. You don't need to do any other > validation of the certificate itself. >
If you don't use some system of "third party identity verification" you are no worse off than a username/password/working e-mail address sort of registration. Your server is talking with whoever (or whatever) they claim to be. If you authorize access additional times to the first, you are again no worse off than a stored (hashed) username/password/working e-mail address system. Your server is talking with someone (or something) they once thought they knew. The only downside is you have to do a bunch of coding yourself. ;) Why not write into your spec: "Must access using OpenID only." and be (almost) done with this part of the spec? The code is short, sweet and widely available to incorporate OpenID into your server. Here is one popular application that (can) use OpenID: http://doc.tikiwiki.org/OpenID Here is one of the providers of the authentication: https://pip.verisignlabs.com/ The sign-up process for your users is simple (and no stronger verification of identity) - this just assures you that you are talking with whoever they claim to be. That provider can also issue your users "node locked" certificates. This may be all you really need in your application - automated user sign-in. And as a side benefit - your users can use their OpenID with any system that supports it, not just yours. Plus, of course, you don't have to write it or maintain it. Mike > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List [email protected] > Automated List Manager [email protected] > > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [email protected] Automated List Manager [email protected]
