* Bernhard Froehlich wrote: > Shaun Lipscombe wrote: > > ><>[...] > >One last question... it's to do with client certificates. If I have two > >websites, say, and they both require client certificates signed by the > >CA "ABC. Ltd" there is nothing stopping a client certificate being used > >for authorization to access both sites even though those two sites may > >not be aware of each other. Is it up to the webserver to go through the > >certificate, once its been shown as being valid, and seeing whether > >access should be granted or is there something I've missed. I created > >two sites that have a CA "in common" in its acceptable CA list and I can > >now access both sites with the same certificate. What can I do to avoid > >such a circumstance? > > You should not mix up the fact "The user has a valid certificate" and > "The user has access to something".
Yes this is what I did. Thanks to you and Bernhard Froehlich I have now got it all clear in my brain :-) Shaun ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]