On Wed, Jun 04, 2003 at 04:32:23PM +1200, Peter Gutmann wrote: > "James A. Donald" <[EMAIL PROTECTED]> writes: > > >I never figured out how to use a certificate to authenticate a client to a > >web server, how to make a web form available to one client and not another. > >Where do I start? > > There's a two-level answer to this problem. At an abstract level, doing > client certs isn't hard, there are various HOWTOs around for Apache, Microsoft > have Technet/MSDN papers on it for IIS, etc etc. At a practical level, it's > almost never used because it's just Too Hard. That's not the SSL client-cert > part, it's the using-X.509 part.
It's the I part of PKI that's hard. That the assumptions built into X.509 (i.e. a rigid certificate hierarchy) don't work everywhere just makes it harder. And the obstinance of the standards organizations involved don't help. Too often people see something like Peter's statement above and say "oh, it's that nasty ASN.1 in X.509 that is the problem, so we'll just do it in XML instead and then it'll work fine" which is simply not true. The formatting of the certificates is such a minor issue that it is lost in the noise of the real problems. And Peter publishes a fine tool for printing ASN.1, so the "human readable" argument is moot. Note that there isn't a real running global PKI using SPKI or PGP either. The largest problem with X.509 is that various market/political forces have allowed Verisign to dominate the cert market and charge way too much for them. There is software operable by non-cryptographers that will generate reasonable cert reqs (it's not standard Openssl) but individuals and corporations alike balk at paying $300-700 for each cert. (yes I know about the free "individual" certs, the failure of S/MIME is a topic for another rant). This is why lne.com's STARTTLS cert is self-signed. Verisign isn't getting any more of my money. Eric
