synapse-dev mailing list archives

Site index · List index
Message view « Date » · « Thread »
Top « Date » · « Thread »
From "Asankha C. Perera" <asan...@apache.org>
Subject Re: Supporting Multiple SSL Configurations at Sender
Date Tue, 21 Jul 2009 10:06:35 GMT
Hi Andreas
> That is possible, but it is only relevant for a scheme where the
> consumer of the service creates a certificate himself (typically a
> self-signed certificate) and somehow registers that with the provider
> of the service. This implies that the provider has to manage a list of
> recognized client certificates to authenticate the client. I don't
> think that is a usual scheme for Web services (BTW, how would you do
> that with Axis2?), but that it is more usual for the provider to issue
> certificates to the consumer, so that authentication is based on the
> signature on the client certificate. But again, this is a question
> about the requirements.
>   
See :
http://publib.boulder.ibm.com/infocenter/tivihelp/v5r1/index.jsp?topic=/com.ibm.itim.infocenter.doc/cpt/cpt_ic_security_ssl_authent2way.html

"Two-way SSL authentication is also referred to as client authentication
because the application acting as an SSL client presents its certificate
to the SSL server after the SSL server authenticates itself to the SSL
client."

The client must decide and send its identity certificate to the server
once the server has been authenticated. In this case, if the same client
needs to talk to Customer A and Customer B - where both uses their own
CA's and gives custom client identity certs to the client to use when
talking to them, the client now has to pick the correct one to be used -
depending on who it is talking to. Its like having a university ID card
and a public library ID card. You can carry both, but must show the
correct one depending on where you are going.

I've come across this situation many years back when a large US firm had
to talk to multiple 3rd parties, and this is a real issue that is common
and needs to be solved.

cheers
asankha

-- 
Asankha C. Perera
AdroitLogic, http://adroitlogic.org

http://esbmagic.blogspot.com





---------------------------------------------------------------------
To unsubscribe, e-mail: dev-unsubscribe@synapse.apache.org
For additional commands, e-mail: dev-help@synapse.apache.org


Mime
View raw message