Re: Client Certificate

From: David Cross [MS] (dcross_at_online.microsoft.com)
Date: 06/01/04

• Next message: Alberto Brivio: "User Last Login"
• Previous message: Stuart Coney: "Re: Cannot Delete Microsoft Explorer "History""
• In reply to: BC: "Client Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Date: Tue, 1 Jun 2004 05:22:56 -0700

No, this will not work - the private key is required to sign data back to
the server to provide proof of possession:

"My question is whether an authorized person can use a
pseudo Proxy server or other tools to fake a web page message containing the
HTTP header of a valid client certificate. "

-- 
David B. Cross [MS]
--
This posting is provided "AS IS" with no warranties, and confers no rights.
http://support.microsoft.com
"BC" <btcchan@hotmail.com> wrote in message
news:eE1JEQ4REHA.3608@TK2MSFTNGP10.phx.gbl...
> Hi everybody,
>
> I am building a HTTPS web application for our own staff to access the
> company's web server through the Internet.  The web server is running IIS
> 5.0 on a W2K box.  The web server is installed with a server certificate,
> and the user's browser needs a client certificate to be authenticated by
the
> server.  The HTTPS web server is configured with Many-to-one mapping
> specifying that a certificate meets certain criteria (for instance, a
> specific Certificate Authority - CA - issued by our own Microsoft
> certificate server).  My question is whether an authorized person can use
a
> pseudo Proxy server or other tools to fake a web page message containing
the
> HTTP header of a valid client certificate.  Will the web server be able to
> tell whether the challenged browser does not contain the valid client
> certificate, when the challenge message is being sent back to that fake
web
> page.
>
> Thanks a lot.
>
> BC
>
>

• Next message: Alberto Brivio: "User Last Login"
• Previous message: Stuart Coney: "Re: Cannot Delete Microsoft Explorer "History""
• In reply to: BC: "Client Certificate"
• Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]

Relevant Pages RE: General Certificate Question ... On the "Web Server Certificate" page, choose "Create a new Web server ... If you do not run SBS, please repost your issue in Windows server newsgroup ... (microsoft.public.windows.server.sbs) Re: IIS 5.0 Certificate ... Your Web server do not send out private key. ... Review this kb on how to use Cert Server with IIS ... Using Certificate Server 2.0 to Generate a Server Certificate for Use with ... (microsoft.public.inetserver.iis.security) Re: Issuing Web Browser digital certificates ... > My company would like to have an offline Windows Server 2003 standalone ... Users would either be sent a certificate to install or a tech ... I am really not sure how to initiate a request at our offline ... access to the Web server. ... (microsoft.public.security) IIS 6 Directory Services Mapping ACL Problems ... We are trying to configure certificate based logins using the ... When I authenticate on our web server with my certificate I my domain ... account username shows up in the web log. ... The files are stored on another server in the domain. ... (microsoft.public.inetserver.iis.security) Re: Secure automation? ... To provide secured web services, a server SSL certificate is ... The downside with this is that the web server will ask ... To be able to verify a server certificate, a web browser needs to ... (comp.security.unix)

• Security
• UNIX
• Linux
• Coding
• Usenet

• News
• Mailing-Lists
• Newsgroups
• Service
• About
• Privacy
• Search
• Imprint