1) for authentication: depend upon mod_ssl configured with an appropriate
SSLVerifyClient option. [i.e. decline to authenticate a user if no client
cert was passed; be configurable to fail or warn stridently if a client cert
was passed but SSLVerifyClient optional_no_ca is in use]
With
-Original Message-
From: Eric Covener [mailto:cove...@gmail.com]
From: Pete Thomas [ptho...@hpti.com]
1) for authentication: depend upon mod_ssl configured with an
appropriate SSLVerifyClient option.
[i.e. decline to authenticate a user if no client cert was passed; be
-BEGIN PGP SIGNED MESSAGE-
Hash: SHA512
Thomas, Peter wrote:
From: Eric Covener [mailto:cove...@gmail.com]
I think AuthType cert is reasonable as long as you can demonstrate using
the the traditional authz providers.
Agreed. I'll think about what test cases are appropriate to
