[cvsnt] sserver with self-signed certificates
Tony Hoyle
tony.hoyle at march-hare.com
Tue Mar 14 00:28:51 GMT 2006
Charles Oram wrote:
> So if I install the user's self-signed certificate on the server, isn't
> that just giving the server the user's public key so that the server can
> authenticate the user? OK, I don't have the full chain of trust that you
> have with signed certificates, but you need more than a username and
> password to login to CVS then.
That's not how SSL works - you create a local CA, then issue
certificates from that CA to your clients. The server then knows it can
trust the certificate as it was issued from its own (trusted) CA. You'd
have to issue the ca.pem for your local CA of course...
This not only allows you to control which clients can connect, but you
can control things like the expiration date and revoke old clients easily.
I know of no implementations that work as you suggest - the whole point
of signing is you don't need huge databases of valid clients.. you'd end
up with login time sucking as it'd have to compare every public key it
knew about with the supplied one (that's even if it's possible to
implement such a scheme in SSL.. you might not be able to get the
presented keys & convert them into a useful format anyway).
Tony
More information about the cvsnt
mailing list