Hello Brian, I don't fully understand your question but the TLS handshake with client-authentication is described in wikipedia at: http://en.wikipedia.org/wiki/Transport_Layer_Security#Client-authenticated_TLS_handshake
You can see that the client uses its private key in order to sign some of the 'handshake messages' (Certificate, ClientKeyExchange ) so in order to authenticate a client, you should also check with the client's public key that this signature is correct. 2010/5/24 Brian Demers <[email protected]>: > I have a PublickeyAuthenticator, it is a pretty simple, I just check if a > public key is valid. > > I am just trying to verify this is all I need to worry about. > Without knowing the details of ssl handshake, it struck me as odd to just > compair two public keys. Obviously the server does not have the clients > private key. > > Just looking for a little reassurance. ( that I can add to my javadoc ) > > Also, anyone interested in an Apache Shrio (getting out of the incubator > soon ) PasswordAuthenticator/PublickeyAuthenticator impl? (maybe a sub > project?) > > Thanks, > -Brian >
