On 09 Nov 2011, at 1:52 AM, Daniel Ruggeri wrote:
One thing I know for certain that does not fall in line with this is
if some.where.back.there and some.where.different are signed out of
the
same CA, but you wish to send different client certs based on path
(such
a use case exists, silly as it may seem in my eyes).
That would be the use case, yes.
We have a service oriented platform that is hardened end to end, in
other words services are client cert protected, and apps must strongly
authenticate to use the service using their own client cert. Sometimes
the apps need to expose the URL space of the service directly (for the
benefit of ajax, etc), but currently can't using a simple proxypass
because the app next door needs to expose a different service with a
different client cert.
As to the use case being silly, we live in an age of the cloud, where
one app at location A is referencing a service in location B, with an
unsecured network in between. Times have changed :)
Regards,
Graham
--
