Re: X.509 Certificate based authentication

That's basically right. I'd rephrase your second point to say that the
client "has" the private key. Ownership is more of a loaded word since it
implies that something can be stolen but still owned by someone else. :)
Essentially, the client signs some data using the private key during the
exchange with the server and the server verifies the signature using the
public key in the certificate that the client sends.

The advantage of using commercial CAs is that they typically chain up to
certificates that are built in to the Windows trusted root certificate
store, so they will be trusted as coming from a known source. Certificates
issued by roots that don't chain to a known trusted root will not verify
automatically unless both parties choose to accept the root CA as a trusted

If your system is issuing the client certificates, then they can be issued
by any CA you want as long as you can convince your clients to trust the
certificate and you configure your servers to do the same. However, if you
need to accept arbitrary certificates, this becomes impractical.

The primary benefit of using certificates and PKI over raw keys is that
there is this hierarchical notion of trust that allows you to know something
about the owners of the keys without having to exchange them manually in
advance. Certificates also attempt to associate some identity info with a
key as well as a validity period and usage restrictions.

The only reason why either party would attempt to contact any of the CAs in
the chain would be to check the certificate revocation list (CRL) of any of
the CAs to see whether or not a particular certificate has been revoked.
Everything else is already in the certificate itself.

I'm not sure about a book, but perhaps Practical Cryptography would be a
good start?

Joe K.

Joe Kaplan-MS MVP Directory Services Programming
Co-author of "The .NET Developer's Guide to Directory Services Programming"
<gudujarlson@xxxxxxxxx> wrote in message
Thanks for all the replies. What I hear you saying are the following:

- I cannot assume that anything is unique except the public key (or
public key hash), unless the CA specifically asserts it is unique.
- I can assume that IIS does authenticate that the sender of the
certificate is the owner of the private key.
- In general, I have to do my own identification of the client and
subsequent authorization.

Can you refer me to an authoritative general reference on the subject
(e.g. a book)?

One further question... does IIS need to talk to the Certificate
Authority in order to authenticate the client? If not, what exactly
am I paying for when I buy a certificate from a commercial Certificate
Authority? Why can't I make my own certificates? I'm used to making
my own private-public key pairs for SSH.


Relevant Pages

  • Re: Client Certificates
    ... I hope you are talking about exporting the pfx file on the CLIENT machine ... The way PKI certificate generation usually works is the following: ... - CA signs that information (i.e. encrypts the hash of that info with its own private key) ...
  • Re: LDAP and SASL
    ... Getting client certficates to work under ASP.NET is a bit of PITA because ... The private key needs to be ... What I would suggest doing would be to export the certificate and private ... >>> Dim searcherLdap As New DirectorySearcher ...
  • Re: HttpWebRequest failure with TLS
    ... My guess is that you are going to want it in the machine store as the ... account your web service client is running under will eventually change to ... private key associated with it in the cert properties dialog. ... certificate should go in the personal store. ...
  • Re: UsernameOverTransportSecurity+SSL Confusion, please help
    ... How come the authentication is not working there? ... you can buy a certificate in one of the well-know certificate ... I will have a private key on the server, and I will give the private key to ... The client will automatically get the public key and negotiate a key to ...
  • Re: Quick Start certificate
    ... Where do I specify what the root path is. ... Then run the client. ... Did you give your web server identity permission to ... It's done through the certificate tool that's installed ...