[13433] in cryptography@c2.net mail archive
Re: Maybe It's Snake Oil All the Way Down
daemon@ATHENA.MIT.EDU (Eric Rescorla)
Tue Jun 3 21:45:23 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
To: "James A. Donald" <jamesd@echeque.com>
Cc: pgut001@cs.auckland.ac.nz (Peter Gutmann),
bill.stewart@pobox.com, cryptography@metzdowd.com,
cypherpunks@lne.com, rsalz@datapower.com, sguthery@mobile-mind.com
Reply-To: EKR <ekr@rtfm.com>
From: Eric Rescorla <ekr@rtfm.com>
Date: 03 Jun 2003 15:27:12 -0700
In-Reply-To: <3EDCB916.14077.15D755CF@localhost>
"James A. Donald" <jamesd@echeque.com> writes:
> > That's a red herring. It happens to use X.509 as its
> > preferred bit-bagging format for public keys, but that's
> > about it. People use self-signed certs, certs from unknown
> > CAs [0], etc etc, and you don't need certs at all if you
> > don't need them, <blatant self-promotion>I've just done an
> > RFC draft that uses shared secret keys for mutual
> > authentication of client and server, with no need for
> > certificates of any kind</blatant self-promotion>, so the use
> > of certs, and in particular a hierarchical PKI, is merely an
> > optional extra. It's no more required in SSL than it is in
> > SSHv2.
>
> I never figured out how to use a certificate to authenticate a
> client to a web server, how to make a web form available to one
> client and not another. Where do I start?
>
> What I and everyone else does is use a shared secret, a
> password stored on the server, whereby the otherwise anonymous
> client gets authenticated, then gets an ephemeral cookie
> identifying him.. I cannot seem to find any how-tos or
> examples for anything better, whether for IIS or apache.
http://www.modssl.org/docs/2.8/ssl_howto.html#auth-simple
-Ekr
--
[Eric Rescorla ekr@rtfm.com]
http://www.rtfm.com/
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
