Thanks for that explanation Graham! I wasn't thinking in terms of CA-signed certificates like you and Issac pointed out, but more of a PGP-type model, where I could use my own self-signed public/private key pair created in Firefox to authenticate to many web sites. I realize that self-signed certs aren't as secure (from the server's point of view), but I could authenticate and answer pre-assigned secret questions before uploading my public key to confirm my identity before the server accepts it. I'd still be grateful for the additional security of CA-signed certs if my bank and Paypal would use them..
-rob On Sat, Nov 20, 2010 at 12:42 PM, Graham Leggett <minf...@sharp.fm> wrote: > mod_ssl is used solely for https, yes, but the feature you're looking for is > built into https by default already. > > Certificates work symmetrically, both sides have the power to require the > other side to present a valid certificate. > > In the case you might be most familiar with, only one side has a certificate > (the server). The other side (the browser) has no certificate. In this > scenario, the browser can be sure it is speaking to the right server, > because the server presented a signed certificate, but the server has no > idea about the browser. Usually, some other authentication mechanism is used > to identify the browser, of varying strengths (passwords, etc). > > In the case you want however, both sides of the connection are configured to > require a certificate from the other side. The certificates do the same job > as the keys that are exchanged in your SSH configuration, they allow the > other side to say "yup, I trust you", and that trust works both ways. > > Unlike an SSH key however, a certificate contains embedded within it details > of the person (or thing) that owns the certificate, but these are details as > far as the protocol is concerned. > > Regards, > Graham > -- > >
