httpd-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From Issac Goldstand <mar...@beamartyr.net>
Subject Re: Proposed: PKI Authentication for secure web access
Date Sun, 21 Nov 2010 07:56:28 GMT
You can use self-signed client certs too.  You just have to explicitly
tell Apache what to trust and what not to trust.  You can also use your
own in-house CA, if applicable.

  Issac

On 20/11/2010 22:55, Rob Lemaster wrote:
> Thanks for that explanation Graham!
>
> I wasn't thinking in terms of CA-signed certificates like you and
> Issac pointed out, but more of a PGP-type model, where I could use my
> own self-signed public/private key pair created in Firefox  to
> authenticate to many web sites. I realize that self-signed certs
> aren't as secure (from the server's point of view), but I could
> authenticate and answer pre-assigned secret questions before uploading
> my public key to confirm my identity before the server accepts it. I'd
> still be grateful for the additional security of CA-signed certs if my
> bank and Paypal would use them..
>
> -rob
>
> On Sat, Nov 20, 2010 at 12:42 PM, Graham Leggett <minfrin@sharp.fm> wrote:
>
>> mod_ssl is used solely for https, yes, but the feature you're looking for is
>> built into https by default already.
>>
>> Certificates work symmetrically, both sides have the power to require the
>> other side to present a valid certificate.
>>
>> In the case you might be most familiar with, only one side has a certificate
>> (the server). The other side (the browser) has no certificate. In this
>> scenario, the browser can be sure it is speaking to the right server,
>> because the server presented a signed certificate, but the server has no
>> idea about the browser. Usually, some other authentication mechanism is used
>> to identify the browser, of varying strengths (passwords, etc).
>>
>> In the case you want however, both sides of the connection are configured to
>> require a certificate from the other side. The certificates do the same job
>> as the keys that are exchanged in your SSH configuration, they allow the
>> other side to say "yup, I trust you", and that trust works both ways.
>>
>> Unlike an SSH key however, a certificate contains embedded within it details
>> of the person (or thing) that owns the certificate, but these are details as
>> far as the protocol is concerned.
>>
>> Regards,
>> Graham
>> --
>>
>>


Mime
View raw message