[prev in list] [next in list] [prev in thread] [next in thread] 

List:       apache-modperl
Subject:    Re: [OT] Client authentication
From:       "Philippe M. Chiasson" <gozer () ectoplasm ! org>
Date:       2007-09-24 3:40:08
Message-ID: 46F73198.5030406 () ectoplasm ! org
[Download RAW message or body]


Bill Moseley wrote:
> On Sun, Sep 23, 2007 at 01:44:44AM -0700, Philippe M. Chiasson wrote:
>>
>>> If the concern is that someone might spoof an IP address then the
>>> shared secret seems adequate.
>> If the secret is ever compromised, you have to update every single
>> client/server out there. If a client cert is compromised, you revoke it
>> and carry on doing business as usual.
>>
>>> If the concern is that someone might hack a client machine and make
>>> fake requests to the server then it seems the hacker would have access to
>>> the client cert just as easily as the shared secret.
>> Yup, but you can revoke a client-cert, not a shared secret...
> 
> Hum, perhaps I'm missing something.
> 
> The shared secret can be a single pair between a specific client and
> the server.
> 
> The server is setup with a list of known secrets, so it's possible
> that each client has its own secret pair with the server.  If a client
> is compromised then just that secret pair is removed/replaced and
> other clients continue.

That's correct, however, the idea with public-key crypto (as in this case)
is that the key generation can be handled by the clients themselves, and
the CA's responsability is just signing stuff.

But in your case, if managing shared-secrets in this way is not a problem,
then it doesn't matter what approach you chose.

>>> But, as I said, I have not used client certs before so I might be
>>> missing a key point.
>> Oh, and a bonus point. Client applications can generate their own certs,
>> and only get your CA to sign them.  It's a much neater approach IMO. And
>> totally worth the slight extra complexity of running your own CA.
> 
> Plus, it all happens at a higher level.  The shared secret has to be
> at the application, where mod_ssl can handle client cert.
> 
> It's just something I need to learn more about...

Applied Cryptography - Bruce Schneier (http://www.amazon.com/dp/0471117099)

------------------------------------------------------------------------
Philippe M. Chiasson     GPG: F9BFE0C2480E7680 1AE53631CB32A107 88C3A5A5
http://gozer.ectoplasm.org/       m/gozer\@(apache|cpan|ectoplasm)\.org/


["signature.asc" (application/pgp-signature)]

[prev in list] [next in list] [prev in thread] [next in thread]