[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

RE: [iaik-ssl] Hw to do client authentication only?



> Is it possible to set up SSL such that only the client
> is authenticated, i.e. that only clients but not servers
> need to provide certificates? 
> 

As far as I know - no.  The server can only request a client certificate if
it has provided its own.  If the server sends the Certificate message then
it *may* also send the CertificateRequest.  In other words, only
non-anonymous servers may do client authentication.

>This is the biggest problem we have with SSL being a security protocol.
>The client cannot be forced to authenticate.

Yes it can actually.  If the server wants to authenticate the client, it
will send a CertificateRequest message to the client.  If the client does
not provide a certificate as a result, the server may terminate the
handshake.

> The biggest problem we have is that SSL doesn't follow the GSS-API, and it
> doesn't force client authentication.

SSL is a protocol, not an API, so your comparison is invalid.  You could
compare an SSL toolkits API with the GSS-API.

> Also, it's so limited that you cannot stick privileges in it.

This is true, but it was not designed to do that.  The use of attribute
certificates might provide a solution to some aspects of 'privileges'.

-----Original Message-----
From: Polar Humenn [mailto:polar@adiron.com]
Sent: Wednesday, September 06, 2000 1:43 PM
To: Gerald Brose
Cc: iaik-ssl@iaik.tu-graz.ac.at
Subject: Re: [iaik-ssl] Hw to do client authentication only?



Hi Gerald,

This is the biggest problem we have with SSL being a security protocol.
The client cannot be forced to authenticate.

You should see the hoops we have to go through for CORBA security (CSIv2)
because of SSL. SSL is chosen because people thought that CORBA SECIOP was
too complicated. 

The biggest problem we have is that SSL doesn't follow the GSS-API, and it
doesn't force client authentication. Also, it's so limited that you cannot
stick privileges in it.

It's a broken bicycle that shouldn't be allowed to be on the road. But
apparently it's a pretty color and everybody likes it. And of course,
there is nothing else mainstream. We'll ride it with flat tires if we have
to.

Good luck,
-Polar

 On Wed, 6 Sep 2000, Gerald Brose wrote:

> Is it possible to set up SSL such that only the client
> is authenticated, i.e. that only clients but not servers
> need to provide certificates? 
> 
> Setting the cipher suite to allow DH_anon does not work
> because in this case the client cannot be authenticated.
> 
> Thanks, Gerald Brose.
> --
> Gerald Brose,                       Mail:       brose@inf.fu-berlin.de
> FU Berlin        (for PGP key see:) http://www.inf.fu-berlin.de/~brose
> Institut f. Informatik              Ph-one:        (++49-30) 838-75112
> Berlin, Germany                     Ph-ax:         (++49-30) 838-75109
> --
> Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html
> 
> To unsubscribe send an email to listserv@iaik.at with the folowing
content: UNSUBSCRIBE iaik-ssl
>  
> 

-------------------------------------------------------------------
Polar Humenn                  Adiron, LLC
mailto:polar@adiron.com       2-212 CST      
Phone: 315-443-3171           Syracuse, NY 13244-4100
Fax:   315-443-4745           http://www.adiron.com

--
Mailinglist-archive at
http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content:
UNSUBSCRIBE iaik-ssl
 
--
Mailinglist-archive at http://jcewww.iaik.at/mailarchive/iaik-ssl/sslthreads.html

To unsubscribe send an email to listserv@iaik.at with the folowing content: UNSUBSCRIBE iaik-ssl