On Jul 12, 2005, at 11:27 AM, Kresten Krab Thorup wrote:
>> David Jencks wrote:
>>
>> On Jul 12, 2005, at 1:14 AM, Kresten Krab Thorup wrote:
>>
>>> For client sockets, things are slightly more complicated because we
>>> need to support that the user is authenticated with an X509
>>> certificate. In this case, the credentials of the user (which would
>>> typically be sitting inside the current Subject) needs to be passed
>>> along to the socket creation so that the SSL logic can create an
>>> X509KeyManager that can service this information to the server if he
>>> needs it to establish the clients credentials.
>>>
>>
>> Is this correct? Or one possibility we should support? My
>> understanding is that normally in csiv2 the ssl layer client
>> authentication authenticates the client system itself, whereas the
>> user's identity is transferred in an SAS identity token. If the
>> client
>> system is a standalone client rather than a server, the client system
>> identity would presumably be the same as the user identity. Have I
>> missed something?
>>
>
> Here is the example I'm thinking of:
>
> If an application does a JAAS-based certificate login, then the private
> credentials thus stored in the current subject should be used to do the
> client-side of an client authentication on a successive remote corba
> SSL
> call. Thus making the client system identity identical to the logged
> in
> user.
While I like the idea of allowing this as an option, my understanding
is this is not csiv2 compliant: I think this is what the
ITTX509CertChain is for. Please correct me if I'm wrong.
david jencks
>
> Kresten
>
|