[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: [iaik-ssl] Hw to do client authentication only?



I don't think it is fair to call SSL broken. After all it is doing a fine
job in a number of applications. It may not be ideal for all
applications, but then again noone ever said it would be. In general I do
not understand your criticism regarding client authentication as client
authentication is available for all ciphersuites except DH_anon and
trivial to enforce by the server.

Getting back to the original question, client-only authentication is not
specified in the SSL/TLS protocol. Assuming you are using iSaSiLk (or
some other product with this feature) on both ends of the connection you
can somewhat achieve the equivalent by manually reversing the client and
server roles using setUseClientMode().

Regards,

 Andreas Sterbenz              mailto:Andreas.Sterbenz@iaik.at


-----Ursprüngliche Nachricht-----
Von: "Polar Humenn" <polar@adiron.com>
An: "Gerald Brose" <brose@inf.fu-berlin.de>
Cc: <iaik-ssl@iaik.tu-graz.ac.at>
Gesendet: Mittwoch, 06. September 2000 14:43
Betreff: Re: [iaik-ssl] Hw to do client authentication only?


>
> Hi Gerald,
>
> This is the biggest problem we have with SSL being a security protocol.
> The client cannot be forced to authenticate.
>
> You should see the hoops we have to go through for CORBA security
(CSIv2)
> because of SSL. SSL is chosen because people thought that CORBA SECIOP
was
> too complicated.
>
> The biggest problem we have is that SSL doesn't follow the GSS-API, and
it
> doesn't force client authentication. Also, it's so limited that you
cannot
> stick privileges in it.
>
> It's a broken bicycle that shouldn't be allowed to be on the road. But
> apparently it's a pretty color and everybody likes it. And of course,
> there is nothing else mainstream. We'll ride it with flat tires if we
have
> to.
>
> Good luck,
> -Polar
>
>  On Wed, 6 Sep 2000, Gerald Brose wrote:
>
> > Is it possible to set up SSL such that only the client
> > is authenticated, i.e. that only clients but not servers
> > need to provide certificates?
> >
> > Setting the cipher suite to allow DH_anon does not work
> > because in this case the client cannot be authenticated.
> >
> > Thanks, Gerald Brose.



smime.p7s