Urjit Gokhale wrote: It seems that you are making the common mistake of conflating authentication with authorization. Certs are useful in binding pubkeys to identities and subsequently in verifying possession of the private key by being able to perform decryption.
The SSL protocol has provision for client_auth, which means that the server and client must each present a cert. If this is the case, need_client_auth is communicated in the handshake, along with a list of DNs of CAs trusted by the server. The client must present a cert or cert chain which is rooted in one of those CAs. > ... is it necessary to
issue ONE certificate to EACH individual.
Yes. The problem of granting access based on membership in a group is an authorization problem. This doesn't have anything to do with certificates -- permissions and roles change independently of binding of key to identity. LDAP, flat files, /etc/group, etc. You could have a hierarchy, with a subordinate CA for each role or group, if you want to manage it that way. I wouldn't. - Michael ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
