> David Jencks wrote: > > On Jul 12, 2005, at 1:14 AM, Kresten Krab Thorup wrote: > >> For client sockets, things are slightly more complicated because we >> need to support that the user is authenticated with an X509 >> certificate. In this case, the credentials of the user (which would >> typically be sitting inside the current Subject) needs to be passed >> along to the socket creation so that the SSL logic can create an >> X509KeyManager that can service this information to the server if he >> needs it to establish the clients credentials. >> > > Is this correct? Or one possibility we should support? My > understanding is that normally in csiv2 the ssl layer client > authentication authenticates the client system itself, whereas the > user's identity is transferred in an SAS identity token. If the client > system is a standalone client rather than a server, the client system > identity would presumably be the same as the user identity. Have I > missed something? >
Here is the example I'm thinking of: If an application does a JAAS-based certificate login, then the private credentials thus stored in the current subject should be used to do the client-side of an client authentication on a successive remote corba SSL call. Thus making the client system identity identical to the logged in user. Kresten
