Re: X.509 Certificate based authentication
- From: "Joe Kaplan" <joseph.e.kaplan@xxxxxxxxxxxxxxxxxxxxxxxx>
- Date: Tue, 22 May 2007 10:13:52 -0500
Basically, you need to go by subject and issuer. The assumption is that
the issuer of a certificate will guarantee the uniqueness of the subjects
that it issues and you can restrict the list of issuers that you will accept
certificates from.
It is also possible that you can use certificate mapping in IIS to map
client cert users to Windows users and do your security processing, although
that might not be feasible.
You have to assume that if a user successfully does client cert
authentication with you, only that user has the private key for that
certificate. It is basically equivalent to a user's password, so if someone
else has the private key, they are essentially that user as well.
HTH,
Joe K.
--
Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
http://www.directoryprogramming.net
--
<gudujarlson@xxxxxxxxx> wrote in message
news:1179526749.602285.247040@xxxxxxxxxxxxxxxxxxxxxxxxxxxxxxx
I want to use X.509 certificates to authenticate and then subsequently
authorize HTTP requests between a Windows Forms client and a ASP.NET
server. So far I have accomplished all of the following:
- created and installed a server certificate
- setup a virtual directory to require client certificates
- created a ASP.NET web form that displays information about the
client certificate
- created and installed a client certificate
- created a Windows Form application that looks up and passes the
client certificate in a HTTP request to the server
Here's the guts of my client:
Dim aRequest As System.Net.HttpWebRequest =
CType(System.Net.WebRequest.Create("https://localhost/ssl/
default.aspx"), System.Net.HttpWebRequest)
aRequest.ClientCertificates.Add(certificate)
Here's the guts of my web form:
Dim cs As HttpClientCertificate = Request.ClientCertificate
Response.Write("Certificate = " & cs.Certificate.ToString() &
"<br>")
All is working well. The cert gets passed over the wire and the
server can read its contents. Now what?
How do I authenticate the client?
How to I use information from the certificate to identify the client?
In other forms of authentication there is user identifier. What is
the analogy with X.509 certificates? My first guess was that the
"subject" property is the identifier, but I'm not sure that is correct
because it does not appear to be globally unique. For example, the
subject of my client cerificate is "localhost". I'm guessing I am not
the only person on the planet with the same subject. How do I verify
that the client is the _right_ "localhost"?
How do I validate that the certificate was sent to me by it's owner?
Does calling System.Net.HttpWebRequest.ClientCertificates.Add() cause
the HTTP request to be signed or does it simple cause the certificate
to be passed in the request?
Does IIS do anything with the certificate or does it just pass it
through the web form? I.e. does it perform any sort of validation/
authentication?
All help will be greatly appreciated.
.
- Follow-Ups:
- Re: X.509 Certificate based authentication
- From: Dominick Baier
- Re: X.509 Certificate based authentication
- From: gudujarlson
- Re: X.509 Certificate based authentication
- References:
- X.509 Certificate based authentication
- From: gudujarlson
- X.509 Certificate based authentication
- Prev by Date: Re: how to avoid challenge window when windows authentication mode is
- Next by Date: Re: X.509 Certificate based authentication
- Previous by thread: X.509 Certificate based authentication
- Next by thread: Re: X.509 Certificate based authentication
- Index(es):
Relevant Pages
|
|
