[phpxmlrpc-devel] Re: [phpxmlrpc] [Fwd: xmlrpc signing]

Wed, 30 Oct 2002 07:56:12 -0500

-----BEGIN PGP SIGNED MESSAGE-----
Hash: SHA1

Said Andres Salomon on Wed, Oct 30, 2002 at 02:23:57AM -0500:

> The idea is to identify where a request came from; the cert only
> verifies the server, not the client.  Also, the cert is generally
> self-signed, so I have no reason to trust it.  I was thinking openssl
> signing, not gnupg.

Actually the certificate support that is in there is client and server
certificates, i.e. the *client* has to have the right certificate in
order to get interact with the server's certificate.  This is an
alternative to HTTP(S) Basic or Digest username and password
authentication.  In Edd's documentation for the *client* methods, just
after the setCredentials method (i.e. username/password auth), there is
a section for the setCertificate method.  The functionality is described
in the 'HTTPS' section for the cURL docs at:

    http://curl.haxx.se/docs/readme.curl.html

Furthermore, here's a post from this list ;-)

    http://www.mail-archive.com/phpxmlrpc@usefulinc.com/msg00069.html

Most people don't use this feature of HTTPS, but the idea is that *both*
the client and server share 'halves' of a private certificate (the
client's being PEM-formatted), and the client is not allowed to
establish a connection without the proper certificate.  Companies will
occasionally use this, for example installing a client certificate on
the workstations and then having them connect to the server via HTTPS.
The user does not need to worry about authentication, as the browsers
and server take care of this via the private certificates.  

However, I'm not sure that the clients can all have different
certificates, or if they all share the same file.  You would have to
look into the spec for HTTPS if this was a concern.  

> (Hi Justin!  Did you hear about our gig thanksgiving weekend yet?)

Yep :-)  We'll have to carry this further off-list though ;-)

- -- 
[!] Justin R. Miller <incanus@codesorcery.net>
    Encrypted email preferred (key 0xC9C40C31)

-----BEGIN PGP SIGNATURE-----
Version: GnuPG v1.2.1 (FreeBSD)

iD8DBQE9v9bs94d6K8nEDDERAmRLAJ4ovxP6K2Jyd0N5w6l3+0RLhr6fHQCeO9V3
gsr79b8MSt9yh6YyqHPGwVI=
=8YWA
-----END PGP SIGNATURE-----