Re: X.509 Certificate based authentication
- From: gudujarlson@xxxxxxxxx
- Date: 23 May 2007 08:32:51 -0700
I had some familiarity with public-private keys at a theoretical level
and in the context of SSH and PGP prior to this project, but I had
never used them with ASP.NET. I think this problem would have been
easier to figure out if the .NET documentation was better. In
particular this document could have more detail.
ms-help://MS.VSCC.v80/MS.MSDN.v80/MS.NETDEVFX.v20.en/cpref10/html/
P_System_Net_HttpWebRequest_ClientCertificates.htm
All it really says is:
HttpWebRequest.ClientCertificates Property
Gets or sets the collection of security certificates that are
associated with this request.
It does not say that the certificate is used to sign the request.
This implies to me that it simply passes the certificate verbatim in
the request (as a header or something). As far as I understand,
simply passing the certificate over the wire verbatim is not a valid
way of authentication. Additionally, the book "Building Secure
Microsoft ASP.NET Applications" from Microsoft Press did not clarify
the question.
After 4 days of googling on this topic and talking to various people
at my company, I have come to the realization that this stuff is not
widely understood. This is disconserting, because I think a security
system needs to be understood by its owners, because otherwise how can
they verify that it is indeed secure?
.
- References:
- Re: X.509 Certificate based authentication
- From: Joe Kaplan
- Re: X.509 Certificate based authentication
- Prev by Date: Re: X.509 Certificate based authentication
- Next by Date: Re: X.509 Certificate based authentication
- Previous by thread: Re: X.509 Certificate based authentication
- Next by thread: Re: X.509 Certificate based authentication
- Index(es):
Relevant Pages
|
