httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Daniel Ruggeri <DRugg...@primary.net>
Subject Re: Proposed: PKI Authentication for secure web access
Date Sat, 20 Nov 2010 21:57:44 GMT

On 11/20/2010 2:39 PM, Rob Lemaster wrote:
> Thanks for the link Issac. If this is already in Apache, why isn't
> everyone using it?
>
>
> On Sat, Nov 20, 2010 at 12:32 PM, Issac Goldstand<margol@beamartyr.net>  wrote:
>
>> Nope, you have full x509 based authentication out-of-the-box.  See
>> http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#allclients
>>
>>   Issac
>>

For those who have a real security need to authenticate their clients in 
this way, and are willing to accept the hassles of this method, it is 
definitely used. However, the idea that a bank or paypal would issue 
certificates for each of its end users can get cumbersome very fast. 
See, the private key would be managed by the user. Users (and even some 
server administrators) are terribly poor at managing their private keys 
in a safe and secure fashion. Some potential complications are a user 
switching browsers, a user switching computers, a user's key becoming 
compromised, loss of the key, etc... On top of that, the signing 
institution would need to be able to keep track of certificates it 
should no longer accept via CRL's and have infrastructure ready to 
verify the cert is still valid.

Essentially, the logistics of getting END USERS to generate a key of 
appropriate size (and getting them to keep it safe), send a CSR, sign 
and return a certificate to them as well as the unavoidable technical 
support involved makes this an unattractive option to large institutions 
because the average Internet denizen isn't expected to know how to do 
this stuff The Right Way.

P.S.
IMHO, this conversation applies to PKI, X509 client authentication and 
even password authentication... all of these mechanisms boil down to the 
fact that there is some entity that knows who the user is and that your 
server will have to take a leap of faith at some point to trust that the 
user sitting at the keyboard is who they say they are.

--
Daniel Ruggeri


Mime
View raw message