[3975] in WWW Security List Archive
Re: SSL and Access Control Policy
daemon@ATHENA.MIT.EDU (Patrick C. Richard)
Tue Jan 14 05:39:22 1997
Date: Tue, 14 Jan 1997 00:46:36 -0800 (PST)
From: "Patrick C. Richard" <patr@xcert.com>
To: si10875@ci.uminho.pt
cc: "www-security@ns2.rutgers.edu" <www-security@ns2.rutgers.edu>
In-Reply-To: <9701132209.AA22156@caeiro.ci.uminho.pt>
Errors-To: owner-www-security@ns2.rutgers.edu
On Mon, 13 Jan 1997 si10875@ci.uminho.pt wrote:
> I have already posted a mail on this subject, and so did Andy Frush, but
> no one seems to know anything about this!
>
> Isn't it possible to use SSL authentication to apply a site access policy,
> using the identification on the certificate?
This is what is in use at many sites. To see a demonstration of this
running live (since March '96) go to http://www.xcert.com.
>
> Is it possible to define what client certificates a server accepts?
Yes.
> How is that done with Apache-SSL?
This is set up in the CTX structure of the SSL connection.
In other words, Apache-SSL has some flags that you can set to tell it
where to find CA certs that are acceptable as signers of connecting
client certs.
If you want more fine-grained access control (based on the DN of the connecting
client) you can choose from a number of options, including plug-ins available
for many HTTP servers as well as some newer HTTP servers.
This is also present in Stronghold, and actually nicer
in the latest Stronghold beta (uses the regex stuff from Sioux).
If you want even finer control (based on using the connecting client cert as
a pointer to some DB record that allows access control, and presenting
dynamic pages based on that access control), see the above mentioned
site.
>
> Thanks.
>
> Jorge
>
----
Pat Richard - patr@x509.com
Xcert Software Inc. - http:/www.x509.com
