[phpxmlrpc-devel] Re: [phpxmlrpc] [Fwd: xmlrpc signing]

Andres Salomon dilinger@mp3revolution.net
Wed, 30 Oct 2002 15:08:08 -0500 

Thanks for pointing this out.  Documentation seems to be sparse, but it
looks like it may be possible for us to use this by requiring clients to
have been signed by a trusted CA (basically, the server's CA), and
adding SSLOption +CompatEnvVars in order to obtain the client's CN (and
thus differentiate clients).  I'll play with it a bit.

On Wed, Oct 30, 2002 at 07:56:12AM -0500, Justin R. Miller wrote:
> 
> -----BEGIN PGP SIGNED MESSAGE-----
> Hash: SHA1
> 
> Said Andres Salomon on Wed, Oct 30, 2002 at 02:23:57AM -0500:
> 
> > The idea is to identify where a request came from; the cert only
> > verifies the server, not the client.  Also, the cert is generally
> > self-signed, so I have no reason to trust it.  I was thinking openssl
> > signing, not gnupg.
> 
> Actually the certificate support that is in there is client and server
> certificates, i.e. the *client* has to have the right certificate in
> order to get interact with the server's certificate.  This is an
> alternative to HTTP(S) Basic or Digest username and password
> authentication.  In Edd's documentation for the *client* methods, just
> after the setCredentials method (i.e. username/password auth), there is
> a section for the setCertificate method.  The functionality is described
> in the 'HTTPS' section for the cURL docs at:
> 
>     http://curl.haxx.se/docs/readme.curl.html
> 
> Furthermore, here's a post from this list ;-)
> 
>     http://www.mail-archive.com/phpxmlrpc@usefulinc.com/msg00069.html
> 
> Most people don't use this feature of HTTPS, but the idea is that *both*
> the client and server share 'halves' of a private certificate (the
> client's being PEM-formatted), and the client is not allowed to
> establish a connection without the proper certificate.  Companies will
> occasionally use this, for example installing a client certificate on
> the workstations and then having them connect to the server via HTTPS.
> The user does not need to worry about authentication, as the browsers
> and server take care of this via the private certificates.  
> 
> However, I'm not sure that the clients can all have different
> certificates, or if they all share the same file.  You would have to
> look into the spec for HTTPS if this was a concern.  
> 
> > (Hi Justin!  Did you hear about our gig thanksgiving weekend yet?)
> 
> Yep :-)  We'll have to carry this further off-list though ;-)
> 
> - -- 
> [!] Justin R. Miller <incanus@codesorcery.net>
>     Encrypted email preferred (key 0xC9C40C31)
> 
> -----BEGIN PGP SIGNATURE-----
> Version: GnuPG v1.2.1 (FreeBSD)
> 
> iD8DBQE9v9bs94d6K8nEDDERAmRLAJ4ovxP6K2Jyd0N5w6l3+0RLhr6fHQCeO9V3
> gsr79b8MSt9yh6YyqHPGwVI=
> =8YWA
> -----END PGP SIGNATURE-----
> 
> 
> -------------------------------------------------------
> This sf.net email is sponsored by:ThinkGeek
> Welcome to geek heaven.
> http://thinkgeek.com/sf
> _______________________________________________
> phpxmlrpc-devel mailing list
> phpxmlrpc-devel@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/phpxmlrpc-devel

-- 
It's not denial.  I'm just selective about the reality I accept.
	-- Bill Watterson