On Jul 12, 2005, at 11:27 AM, Kresten Krab Thorup wrote:
David Jencks wrote:
On Jul 12, 2005, at 1:14 AM, Kresten Krab Thorup wrote:
For client sockets, things are slightly more complicated because we
need to support that the user is authenticated with an X509
certificate. In this case, the credentials of the user (which would
typically be sitting inside the current Subject) needs to be passed
along to the socket creation so that the SSL logic can create an
X509KeyManager that can service this information to the server if he
needs it to establish the clients credentials.
Is this correct? Or one possibility we should support? My
understanding is that normally in csiv2 the ssl layer client
authentication authenticates the client system itself, whereas the
user's identity is transferred in an SAS identity token. If the
client
system is a standalone client rather than a server, the client system
identity would presumably be the same as the user identity. Have I
missed something?
Here is the example I'm thinking of:
If an application does a JAAS-based certificate login, then the private
credentials thus stored in the current subject should be used to do the
client-side of an client authentication on a successive remote corba
SSL
call. Thus making the client system identity identical to the logged
in
user.
While I like the idea of allowing this as an option, my understanding
is this is not csiv2 compliant: I think this is what the
ITTX509CertChain is for. Please correct me if I'm wrong.
david jencks
Kresten
