Re: SSL/TLS - am I doing it right?

From: Paul Rubin <http://phr.cx@xxxxxxxxxxxxxx>
Date: 15 Mar 2006 01:41:16 -0800

"Frank Millman" <frank@xxxxxxxxxxxx> writes:

You also want to generate a client
certificate to install on the server. >

Both you and Sybren are insistent that this is a necessary step, but I
confess I cannot see the need for it. The client is lightweight, and
authenticates itself to the server using a user id and password. What
is the worst that could go wrong?

The client cert approach isn't strictly necessary but it means that
the SSL stack takes care of stuff that your application would
otherwise have to take care of at both the client and the server side.
If you don't generate a certificate, you have to generate a username
and password instead, and manage that. There's still secret
authenticating info on the client, so you haven't really decreased the
client's responsibility. Also, if you need to go to a heavier-duty
approach sometime, there's an industry making hardware devices
(e.g. smart cards) that encapsulate keys and certificates so that the
keys are very difficult to get access to. That improves security
considerably.
.

Follow-Ups:
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel

References:
- SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Sybren Stuvel
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman
- Re: SSL/TLS - am I doing it right?
  - From: Paul Rubin
- Re: SSL/TLS - am I doing it right?
  - From: Frank Millman

Prev by Date: Re: SSL/TLS - am I doing it right?
Next by Date: details
Previous by thread: Re: SSL/TLS - am I doing it right?
Next by thread: Re: SSL/TLS - am I doing it right?
Index(es):
- Date
- Thread

Relevant Pages

Re: Need for encryption in WSE 3.0 if using SS-avoid man-in-middle
... SSL only validates you are talking to a SSL certified server; ... They can simply edit the URL the client program ... can be done by using a X.509 certificate on both ends, ...
(microsoft.public.dotnet.framework.aspnet.security)
Re: LDP client authentication fails
... I got the LDP working with LDAP server under server client authentication ... I did not installed the certificate in pfx format .. ... Client cert auth won't work without that. ...
(microsoft.public.windows.server.active_directory)
Re: SSL & Man In the Middle Attack
... >> it possible for the middle man to intercept all messages from server to me ... > server sends client a signed message along with a digital certificate. ... > client generates a random secret key, ...
(comp.security.misc)
Re: activesync issue
... On the SBS 2003 Server open the Server Management console. ... On the "Web Server Certificate" page, choose to create a new Web server ... Install the new certificate which created in above step on mobile device: ... Access to browse the Exchange Server 2003 client after you install ...
(microsoft.public.windows.server.sbs)
[Full-disclosure] VMSA-2006-0010 - SSL sessions not authenticated by VC Clients
... X.509 certificate when creating an SSL session, ... Both the client and server need certificates from a mutually-trusted ... VirtualCenter 2.0.1 Patch 1 and VirtualCenter 1.4.1 Patch ...
(Full-Disclosure)