Hello Rob,
We use SSL Client Certificates extensively here at MIT. They are quite
convenient for developers: if you want to plug into the existing campus
wide authentication system, just ask for a client cert and you don't need
to reimplement any authentication system.
Cheers,
Edward
Now that's what I'm talking about. Are you guys hiring?
On Sun, Nov 21, 2010 at 12:06 PM, Graham Leggett wrote:
> In our experience, the hardest part about using certificates is overcoming
> the perception held by technical people that it's hard to use certificates.
>
> Over the last three year
On Sunday 21 November 2010, Graham Leggett wrote:
> In our experience, unlike technical people, end users don't know
> that certificates are supposed to be hard, and so have never
> known they were supposed to consider certificates a problem. As a
> result, it's been very successful.
If everythi
On 21 Nov 2010, at 6:59 AM, Sander Temme wrote:
Thanks for the link Issac. If this is already in Apache, why isn't
everyone using it?
Because key management is just too freaking hard, and too much of a
management and support burden.
For God's sake, if we can't even get the Apache developer
You can use self-signed client certs too. You just have to explicitly
tell Apache what to trust and what not to trust. You can also use your
own in-house CA, if applicable.
Issac
On 20/11/2010 22:55, Rob Lemaster wrote:
> Thanks for that explanation Graham!
>
> I wasn't thinking in terms of C
lol. In the meantime, it's still useful for implementation in closed
organizations where it's easy to enforce client cert policies (and easy
to use a CA model)
On 21/11/2010 10:11, Rob Lemaster wrote:
> This is good info. Thanks for your responses. So I guess the problem
> isn't that the function
This is good info. Thanks for your responses. So I guess the problem
isn't that the functionality isn't available, but that it's hard to
get end users to adopt it. This makes me sad. When I become Emperor, I
will require all secure web sites to implement this functionality and
the world will be a b
On Nov 20, 2010, at 12:39 PM, Rob Lemaster wrote:
> Thanks for the link Issac. If this is already in Apache, why isn't
> everyone using it?
Because key management is just too freaking hard, and too much of a management
and support burden.
For God's sake, if we can't even get the Apache devel
I understand your skepticism, but I am not advocating a complex CA
infrastructure and I have more faith in end users (possibly
misplaced). IMHO, it is reasonable for users to take that extra step
for their banking site or SSL-VPN. It's really not that big a deal to
generate a key pair in PuTTY, I c
On 11/20/2010 2:39 PM, Rob Lemaster wrote:
Thanks for the link Issac. If this is already in Apache, why isn't
everyone using it?
On Sat, Nov 20, 2010 at 12:32 PM, Issac Goldstand wrote:
Nope, you have full x509 based authentication out-of-the-box. See
http://httpd.apache.org/docs/2.2/ssl/s
Thanks for that explanation Graham!
I wasn't thinking in terms of CA-signed certificates like you and
Issac pointed out, but more of a PGP-type model, where I could use my
own self-signed public/private key pair created in Firefox to
authenticate to many web sites. I realize that self-signed cert
On 20 Nov 2010, at 10:19 PM, Rob Lemaster wrote:
Isn't mod_ssl used solely for HTTPS (browser-server encryption)? I
would like to use PKI for user authentication like you can in SSH on
top of the encryption provided by HTTPS. The most secure option I see
available for web authentication currentl
Thanks for the link Issac. If this is already in Apache, why isn't
everyone using it?
On Sat, Nov 20, 2010 at 12:32 PM, Issac Goldstand wrote:
> Nope, you have full x509 based authentication out-of-the-box. See
> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#allclients
>
> Issac
>
On 20/11/2010 22:19, Rob Lemaster wrote:
> Isn't mod_ssl used solely for HTTPS (browser-server encryption)? I
> would like to use PKI for user authentication like you can in SSH on
> top of the encryption provided by HTTPS. The most secure option I see
> available for web authentication currently i
Isn't mod_ssl used solely for HTTPS (browser-server encryption)? I
would like to use PKI for user authentication like you can in SSH on
top of the encryption provided by HTTPS. The most secure option I see
available for web authentication currently is OTP tokens (RSA,etc)
that only work on one web
On 20 Nov 2010, at 10:27 AM, Rob Lemaster wrote:
SSH allows a user to create a public/private key pair and use that for
authentication. This is much more secure than simply using passwords
and adds the ability to add 'something you have' for multi-factor
authentication. I propose that the same f
Been there, done that:
http://wiki.buanzo.org (enigform and mod_openpgp)
Not x509, though.
On 11/20/10, Rob Lemaster wrote:
> I would like to propose an enhancement to the Apache web server for
> secure authentication.
>
> If this is the wrong list, pls. reply with the correct list and I will
I would like to propose an enhancement to the Apache web server for
secure authentication.
If this is the wrong list, pls. reply with the correct list and I will
post it there.
SSH allows a user to create a public/private key pair and use that for
authentication. This is much more secure than sim
18 matches
Mail list logo