[76] in cryptography@c2.net mail archive
Re: Server Authentication
daemon@ATHENA.MIT.EDU (Tom Weinstein)
Tue Jan 21 08:22:24 1997
Date: Mon, 20 Jan 1997 23:24:19 -0800
From: Tom Weinstein <tomw@netscape.com>
To: cryptography@c2.net
Eric Murray wrote:
>
> Bill Frantz writes:
>>
>> I recently came aware of an interesting problem in server
>> authentication. I.e. How does a browser plugin validate the server
>> it is working for. There are many reasons for a plugin to want to
>> validate its web server including contractual relations, but the one
>> that most appeals to me is that the plugin provides access to
>> confidential data which is used in an application distributed between
>> the client machine and the server. Since the data is confidential,
>> the plugin doesn't want to send it to just any server who can serve
>> up a web page in the correct format, so it needs to authenticate the
>> server.
>>
>> Now the obvious way to validate the server would be through the
>> certificates exchanged when the SSL session was set up. (I am
>> assuming a SSL session here because you shouldn't send confidential
>> data over a non-encrypted link.) However, I haven't found an API
>> where the plugin can discover the certificate used by the server, so
>> it appears you have to roll your own.
>
> I think that you can get access to the server's certificate.
> I know you can from the CGI interface. Unfortunately it's the
> raw ASN.1 encoded certificate, so you would have to ASN.1 decode it.
> Bleah.
Yes, you can get at the client's cert from a server-side CGI or NSAPI
module. We don't currently have an API that lets plugins get at server
certs. I do have such an API planned, but I can't give you any
guarantee as to when I'll have time to write it or what release it will
be in.
--
You should only break rules of style if you can | Tom Weinstein
coherently explain what you gain by so doing. | tomw@netscape.com
