From: Sonu K. <son...@ya...> - 2002-09-11 05:38:14
|
Thanks Robert for writing in. I already have client authentication active for my specified folder.when ever a user wants to access that folder they have to present their certificate... my question was - If i have a web site which requires users to logon with user id / password and valid certificate.. how do i ensure that the certificate user "A" presents, with his user id and password was issued to him and not to any other user.... it is possible that user "A" logs on to my web site with his user id/ password but uses user "B" certificate... in such a case non-repudiation becomes ill-logical. because this link http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#ToC6 only makes sense if there are few users. I have 5,000 users accessing my site. the flow goes like this The first time user goes to my openca and requests for a certificate.. certificate is issued to the user. The issued certificates are directly stored into my ldap..using ra interface. the ldap now has user id, password and the certificate my web site uses this ldap to authenticate the user and give access to the site. NOW IS SUCH A CASE HOW DO I GO ABOUT ENSURING NON-REPUDIATION. REGARDS SONU __________________________________________________ Yahoo! - We Remember 9-11: A tribute to the more than 3,000 lives lost http://dir.remember.yahoo.com/tribute |