[lug] htpasswd security
Bear Giles
bgiles at coyotesong.com
Wed Mar 5 16:00:52 MST 2003
Nate Duehr wrote:
> If your organizations your belong to could easily be their own "real" CA's
> like you describe, the could issue client-side certs for clients to access
> their websites, etc... that's neat.
I have to be careful here because my ideas are ahead of the
implementation, but the idea is that an organization can be fully
self-certifying (and they have to manage distribution of their own
root cert), or it can be a virtual CA where their RA instructs my
CA to issue or revoke certificates, but they don't have any 'CA'
bits set in their own certificates.
"Their RA" could be a full-blown agent that subscribes to the
message server, but it could also be something as simple as web
pages that check for client certificates. Requests will sit in
the queue until an authorized person brings up the web page, then
they'll just see a simple HTML form saying "approve, reject,
defer?" for each request. Once a decision is made, the form's
action can use that authorization to create the message that tells
the CA to sign the request.
That's the magic behind the installation tool mentioned earlier.
You actually get a personal cert, but then the pesonal cert is
used to authorize a dozen server certs. They'll be signed by the
CA, but the subject information will say that they were issued by
the CA on behalf of the individual.
More information about the LUG
mailing list