On 8/31/05, Conrad Friedrich <[EMAIL PROTECTED]> wrote: > Is there a way to prevent users (that got a client ssl-certificate (pkcs12) > for accessing my server) from giving their certs away to others and in that > way enabling "unwanted" users access to my site?
The client certificate acts as the user's identity. If the user gives away his/her identity or the identity is stolen, then someone else can authenticate to the server using that identity, and that's just the way it is. This is no different than a username/password means of establishing user identity, really, except that the user has perhaps better ways to protect a client certificate than he does a username/password. If the user intentionally gives away the certificate, there's nothing you can do about it. > Or if there is no elegant solution, maybe someone knows how apache (or a log > analyzer etc.) can inform me if two different IPs have tried to connect > simultaneously using the same certificate? I haven't seen any such tool but that doesn't mean there isn't one out there. Anybody else heard of such a thing? --Cliff ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List modssl-users@modssl.org Automated List Manager [EMAIL PROTECTED]