Return-Path: X-Original-To: apmail-httpd-dev-archive@www.apache.org Delivered-To: apmail-httpd-dev-archive@www.apache.org Received: from mail.apache.org (hermes.apache.org [140.211.11.3]) by minotaur.apache.org (Postfix) with SMTP id 071097F7D for ; Wed, 9 Nov 2011 10:03:19 +0000 (UTC) Received: (qmail 94953 invoked by uid 500); 9 Nov 2011 10:03:18 -0000 Delivered-To: apmail-httpd-dev-archive@httpd.apache.org Received: (qmail 94898 invoked by uid 500); 9 Nov 2011 10:03:17 -0000 Mailing-List: contact dev-help@httpd.apache.org; run by ezmlm Precedence: bulk Reply-To: dev@httpd.apache.org list-help: list-unsubscribe: List-Post: List-Id: Delivered-To: mailing list dev@httpd.apache.org Received: (qmail 94890 invoked by uid 99); 9 Nov 2011 10:03:17 -0000 Received: from athena.apache.org (HELO athena.apache.org) (140.211.11.136) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 10:03:17 +0000 X-ASF-Spam-Status: No, hits=-0.0 required=5.0 tests=SPF_HELO_PASS,SPF_PASS X-Spam-Check-By: apache.org Received-SPF: pass (athena.apache.org: domain of minfrin@sharp.fm designates 72.32.122.20 as permitted sender) Received: from [72.32.122.20] (HELO chandler.sharp.fm) (72.32.122.20) by apache.org (qpsmtpd/0.29) with ESMTP; Wed, 09 Nov 2011 10:03:09 +0000 Received: from chandler.sharp.fm (localhost [127.0.0.1]) by chandler.sharp.fm (Postfix) with ESMTP id AB6B5508028 for ; Wed, 9 Nov 2011 04:02:48 -0600 (CST) Received: from [10.0.0.251] (87-194-125-19.bethere.co.uk [87.194.125.19]) (using TLSv1 with cipher AES128-SHA (128/128 bits)) (Client did not present a certificate) (Authenticated sender: minfrin@sharp.fm) by chandler.sharp.fm (Postfix) with ESMTP id 5A644508022 for ; Wed, 9 Nov 2011 04:02:48 -0600 (CST) Message-Id: From: Graham Leggett To: dev@httpd.apache.org In-Reply-To: <4EB9C0BA.4@primary.net> Content-Type: text/plain; charset=US-ASCII; format=flowed; delsp=yes Content-Transfer-Encoding: 7bit Mime-Version: 1.0 (Apple Message framework v936) Subject: Re: Small things to do Date: Wed, 9 Nov 2011 12:02:46 +0200 References: <4EB9B531.4060708@primary.net> <822ECDF5-0ED6-4F84-9847-7DD56C5853B2@sharp.fm> <4EB9C0BA.4@primary.net> X-Mailer: Apple Mail (2.936) X-Virus-Scanned: ClamAV using ClamSMTP On 09 Nov 2011, at 1:52 AM, Daniel Ruggeri wrote: > One thing I know for certain that does not fall in line with this is > if some.where.back.there and some.where.different are signed out of > the > same CA, but you wish to send different client certs based on path > (such > a use case exists, silly as it may seem in my eyes). That would be the use case, yes. We have a service oriented platform that is hardened end to end, in other words services are client cert protected, and apps must strongly authenticate to use the service using their own client cert. Sometimes the apps need to expose the URL space of the service directly (for the benefit of ajax, etc), but currently can't using a simple proxypass because the app next door needs to expose a different service with a different client cert. As to the use case being silly, we live in an age of the cloud, where one app at location A is referencing a service in location B, with an unsecured network in between. Times have changed :) Regards, Graham --