Re: authentication (SRP*, DH, TLS)

gmu2006@xxxxxxxxx writes:
IRC it with a root certificate it would be enough to
include the public part with the clients and ideally allow the
customers to add their own root certs or just run in "I trust
the server cert anyway as long as the hostname and
expire-date are OK" mode.

Yes, that's how TLS normally works. For example, your web browser has
a set of root certs configured in the distribution, and you can add
new ones if you want. When you visit a TLS web page (like the
checkout page for a retail site), the browser checks the site cert
against its internal root certs, and pops a warning dialog if the cert
doesn't verify (e.g. it's signed by someone's local CA instead of by
one of the preconfigured ones).

I could do this with a password or ala SSH public/private key
authentication which uses certs too, IIRC. this mechanism is not
bound to TLS and has to be done after establishing the link be it TLS
or not but will most probably make not much sense without TLS as
the secret will be on the wire.

I can't understand this. With TLS, you never send secrets over the wire.

the big disadvantage is that someone
has to deploy the key(s) to all nodes and if you have to store the
private and public key on the same node as clients & services will
connect to service@node1 and node1 itself will need to connect to
services on the other nodes it gets hairy.

I don't understand this either. If you want to authenticate a node
(whether it's a client or a server), the node has to have a secret.
Client certs are the preferred way to do that in TLS (there's a
public and private key) but any other way also involves a secret.
So you have to have some way of putting a secret on each node.

I think it is possible to minimize this down to each node connecting
to the master node only but the master node itself will have to
connect to service@node1 and we have the same problem with storing
both priv/pub key on the same box. is there a way to do this while
also authenticating the access between the services on different

Are the clients going to be boxes that you ship to customers
pre-configured? Or are you talking about a PC application of some
kind? How secure does the authentication have to be, e.g. what
happens if someone gets a client credential that says they're someone

You may want to read a book like Security Engineering (by Ross
Anderson) to get more of a sense of what you're dealing with. It has
some material on PKI but it's mostly about security in general.

Relevant Pages

  • Re: Using Certificates for 802.1x and VPN accecss
    ... wireless access, we are only going to use 1 wireless AP at our conference ... there will be about 20 clients. ... Just need to know what certificate to issue to what computer. ... > login script that will provision the certs. ...
  • Re: Using Certificates for 802.1x and VPN accecss
    ... The cert on the IAS server must contain the server authentication EKU and ... The machine certificates can by provisioned using auto-enrolment. ... login script that will provision the certs. ... How do I distribute the certificate to my clients? ...
  • Re: Certs for SSL
    ... The thing is the clients and the webserver have no common system directory. ... If I was to use Basic Authentication, wouldn't I need to create local ... > username and password that is sent from client to server. ... How can i use certs on these machines? ...
  • Re: Problem with Machine Certs being used as User Certs
    ... If the clients aren't XP then even if they ... autoenrollment of user certs. ... > to get them to use user certs, or otherwise, get their users to be able to ... > use/access the machine certs for IE for an HTTPS session. ...
  • Re: [opensuse] Help with Certs for Cyrus IMAP and TLS
    ... I am having problems with my certs. ... server at xx.xx.xx.xx via STARTTLS since it dosen't offer STARTTLS in ... but it fails using TLS. ... I'm trying to obfuscate the connection with TLS, ...