On 11/20/2010 2:39 PM, Rob Lemaster wrote:
Thanks for the link Issac. If this is already in Apache, why isn't
everyone using it?
On Sat, Nov 20, 2010 at 12:32 PM, Issac Goldstand<mar...@beamartyr.net> wrote:
Nope, you have full x509 based authentication out-of-the-box. See
http://httpd.apache.org/docs/2.2/ssl/ssl_howto.html#allclients
Issac
For those who have a real security need to authenticate their clients in
this way, and are willing to accept the hassles of this method, it is
definitely used. However, the idea that a bank or paypal would issue
certificates for each of its end users can get cumbersome very fast.
See, the private key would be managed by the user. Users (and even some
server administrators) are terribly poor at managing their private keys
in a safe and secure fashion. Some potential complications are a user
switching browsers, a user switching computers, a user's key becoming
compromised, loss of the key, etc... On top of that, the signing
institution would need to be able to keep track of certificates it
should no longer accept via CRL's and have infrastructure ready to
verify the cert is still valid.
Essentially, the logistics of getting END USERS to generate a key of
appropriate size (and getting them to keep it safe), send a CSR, sign
and return a certificate to them as well as the unavoidable technical
support involved makes this an unattractive option to large institutions
because the average Internet denizen isn't expected to know how to do
this stuff The Right Way.
P.S.
IMHO, this conversation applies to PKI, X509 client authentication and
even password authentication... all of these mechanisms boil down to the
fact that there is some entity that knows who the user is and that your
server will have to take a leap of faith at some point to trust that the
user sitting at the keyboard is who they say they are.
--
Daniel Ruggeri