> > The simplest way to do verification is to allow the application to > > provide a set of root certs that it would like to verify against, and > > use the built-in OpenSSL verification procedure. > > That's good. I don't recall whether you planned for this, however, > it would then be necessary to find out who the authenticated user > is, to do authorization. Getting that as a pair (client dn, issuer dn) > is the interface that springs to mind first.
Yes, that's right. If the cert verifies, its details are then available, as a mapping, something like this: {'notBefore': 'Sep 29 16:38:04 2006 GMT', 'notAfter': 'Dec 7 16:38:04 2008 GMT', 'issuer': {'organizationalUnitName': u'UpLib', 'organizationName': u'PARC', 'commonName': u'wolfe-64.parc.xerox.com', 'stateOrProvinceName': u'California', 'countryName': u'US', 'localityName': u'Palo Alto'}, 'version': 2, 'subject': {'organizationalUnitName': u'UpLib', 'organizationName': u'PARC', 'commonName': u'wolfe-64.parc.xerox.com', 'stateOrProvinceName': u'California', 'countryName': u'US', 'localityName': u'Palo Alto'} } This is a self-signed cert, and it's still an open question whether they should verify, and under what circumstances. I'm currently thinking that in the CERT_OPTIONAL regime, they could, but with CERT_REQUIRED, they shouldn't. Bill _______________________________________________ Python-Dev mailing list Python-Dev@python.org http://mail.python.org/mailman/listinfo/python-dev Unsubscribe: http://mail.python.org/mailman/options/python-dev/archive%40mail-archive.com