Sybren Stuvel wrote: > Michael Ekstrand enlightened us with: > > clients aren't expected to have their own certificates. I think that > > the only time you really need the clients to have certificates is > > when the certificate *is* your authentication (e.g., in OpenVPN). > > Fact remains that a strong certificate is much more secure than > letting people choose their own passwords. >
I suppose it depends on your degree of paranoia (not that I want to belittle paranoia - it is a healthy instinct in this context). I was recommended to read O'Reilly's Network Security with OpenSSL. The first chapter is available online - http://www.oreilly.com/catalog/openssl/chapter/ch01.pdf It is a 30 page introduction which explains the concepts fairly thoroughly. After describing how a server sends a certificate and a client validates it, it simply says "Although rare, the server can also request a certficate from the client". Obviously there are many different scenarios, but for my particular one, user id and password is 'good enough'. Frank -- http://mail.python.org/mailman/listinfo/python-list