[phpxmlrpc-devel] Re: [phpxmlrpc] [Fwd: xmlrpc signing]

Justin R. Miller incanus@codesorcery.net
Wed, 30 Oct 2002 07:56:12 -0500

Hash: SHA1

Said Andres Salomon on Wed, Oct 30, 2002 at 02:23:57AM -0500:

> The idea is to identify where a request came from; the cert only
> verifies the server, not the client.  Also, the cert is generally
> self-signed, so I have no reason to trust it.  I was thinking openssl
> signing, not gnupg.

Actually the certificate support that is in there is client and server
certificates, i.e. the *client* has to have the right certificate in
order to get interact with the server's certificate.  This is an
alternative to HTTP(S) Basic or Digest username and password
authentication.  In Edd's documentation for the *client* methods, just
after the setCredentials method (i.e. username/password auth), there is
a section for the setCertificate method.  The functionality is described
in the 'HTTPS' section for the cURL docs at:


Furthermore, here's a post from this list ;-)


Most people don't use this feature of HTTPS, but the idea is that *both*
the client and server share 'halves' of a private certificate (the
client's being PEM-formatted), and the client is not allowed to
establish a connection without the proper certificate.  Companies will
occasionally use this, for example installing a client certificate on
the workstations and then having them connect to the server via HTTPS.
The user does not need to worry about authentication, as the browsers
and server take care of this via the private certificates.  

However, I'm not sure that the clients can all have different
certificates, or if they all share the same file.  You would have to
look into the spec for HTTPS if this was a concern.  

> (Hi Justin!  Did you hear about our gig thanksgiving weekend yet?)

Yep :-)  We'll have to carry this further off-list though ;-)

- -- 
[!] Justin R. Miller <incanus@codesorcery.net>
    Encrypted email preferred (key 0xC9C40C31)

Version: GnuPG v1.2.1 (FreeBSD)