Hi, I've been playing around with client certificates in Netscape and am puzzled by a couple of things. 1) If a client certificates is verified against my CA cert, which is public, what is to prevent someone from copying my CA cert, and using the copy to verify my client certificates. I don't know why anyone would do this. They wouldn't be able to sign new client certs with the copy of my CA certs, however, in some odd way someone could somehow find it useful to temporarily highjack certificate verifications, no? 2) Since I have SSLVerifyClient turned on my browser (in this case Netscape) brings up a window with a list of client certs to choose from. Is there anyway to automate that process and perhaps map different client certs to different sites? 3) If I don't have SSLVerifyClient turned on but still use SSLRequire that checks against one of the SSL Client variables, what should happen? I wasn't experimenting too carefully but it seemed like all the checks against SSL Client environment variables were ignored when the browser didn't provide a client certificate. tia r. ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
