Re: Authentification vs Encryption in a system to system interface
From: Edward A. Feustel (efeustel@erols.com)
Date: 03/01/03
- Next message: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Previous message: Bill Unruh: "Re: New e-mail encryption product"
- In reply to: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Next in thread: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Reply: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: "Edward A. Feustel" <efeustel@erols.com> Date: Sat, 1 Mar 2003 15:47:54 -0500
"Anne & Lynn Wheeler" <lynn@garlic.com> wrote in message
news:isv3dt42.fsf@earthlink.net...
> "Edward A. Feustel" <efeustel@erols.com> writes:
> > The authentication can be done mutually when the SSL channel is
> > established. Apache (with the proper modification) permits the
> > authenticated identity to be passed in an environment variable to
> > the "application". The application can do what it will with that
> > information. Whether the application can masquerade as the user in
> > order to use the ACL system depends on the system, but the
> > authenticated ID can be used to determine what the user can do
> > within the file system by using the standard access control
> > mechanisms that Apache provides.
>
> in SSL with SSL domain name server certificates ... the real
> authentication is done when the CA is creating the certificate. the
> browser just checks that that the URL typed in just matches the domain
> name in the certificate (is the browser really talking to the server
> that it thinks it is talking to). the vulnerability being addressed is
> possible integrity problems with the domain name infrastructure.
>
> the catch22 of course is that the CA is a certification operation, and
> must verify with the authoritative agency the validaty of the
> information being certified (i.e. is the entity requesting a
> certificate really the owner of that domain?). The authoritative
> agency for domain names is the domain name infrastructure ... so CAs
> are relying on the very same agency that have the original integrity
> issue giving rise to the certificate requirement.
>
> so CAs have proposals for improving the integrity of the domain name
> infrastructure ... so that they can rely on the validity of the
> information ... but improving the integrity of the domain name
> infrastructure contributes to mitigating the requirement for having
> certificates in the first place.
>
> similar explanation from sci.crypt:
> http://www.garlic.com/~lynn/2003d.html#29 SSL questions
> http://www.garlic.com/~lynn/2003d.html#30 SSL questions
>
> --
> Anne & Lynn Wheeler | lynn@garlic.com - http://www.garlic.com/~lynn/
> Internet trivia, 20th anniv: http://www.garlic.com/~lynn/rfcietff.htm
While the above is true, the persons in the original article appeared to be
discussing
Client Authentication and Authorization rather than Server Authentication.
Ed Feustel
- Next message: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Previous message: Bill Unruh: "Re: New e-mail encryption product"
- In reply to: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Next in thread: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Reply: Anne & Lynn Wheeler: "Re: Authentification vs Encryption in a system to system interface"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
