[3982] in WWW Security List Archive
Re: SSL and Access Control Policy
daemon@ATHENA.MIT.EDU (John Gervasi - Loral - X1468)
Tue Jan 14 14:52:14 1997
Date: Tue, 14 Jan 1997 12:14:01 -0500
From: gervasi@manassas1.tds-gn.lmco.com (John Gervasi - Loral - X1468)
To: www-security@ns2.rutgers.edu, si10875@ci.uminho.pt
Errors-To: owner-www-security@ns2.rutgers.edu
> From owner-www-security@ns2.rutgers.edu Tue Jan 14 10:37:35 1997
>
> Subject: SSL and Access Control Policy
>=20
> I have already posted a mail on this subject, and so did Andy Frush, =
but
> no one seems to know anything about this!
>=20
> Isn't it possible to use SSL authentication to apply a site access =
policy,=20
> using the identification on the certificate?
>=20
> Is it possible to define what client certificates a server accepts?
> How is that done with Apache-SSL?
>=20
> Thanks.
>=20
> Jorge
>=20
SSL is a middle layer between http and TCP. It only provides a =
mechanism for=20
establishing a secure session between the browser and the server. This =
secure=20
session uses a symetric key for encryption for all subsequent session=20
communications after the initial session is established using RSA =
public/private=20
key. However, associated with this session establishment is the notion =
of=20
verification of the originating server. Here is where the server =
authentication=20
comes in. As a server and provider of service, you need to have a 3rd =
party=20
like Verisign create a certificate for you after you establish your =
credentials.=20
If I understand your first quesiton about site access policy, the server =
=20
certificate establishes for the browser/user that your server is what =
your URL=20
says it is. This is giving the user a warm fuzzy if his browser is =
setup to=20
accept the certifying authority you used for your certificate.
Your second question deals specifically with the Apache server. I am =
only=20
familiar with Netscape Enterprise server. But in any event, Netscapes =
server=20
does have a configuraiton item that deals with user certificates and =
acceptable=20
certifying authoities.
Hope this helps.
MY COORDINATES:
John J. Gervasi
Engineering Support Manager
Global Transportation Network Project
=20
Lockheed Martin=20
9255 Wellington Road, Building 102
Manassas, Virginia 20110-4121
=20
work 703.367.2534
fax 703.367.1076
e-mail john.j.gervasi@lmco.com
or gervasi@manassas1.tds-gn.lmco.com
>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>>
Remember, life is what happens to you while
you were hoping for other results. :-)
<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<<
