Re: Preliminary TLS/SSL success

[John Kristian <kristian@netscape.com>]

Julio Sánchez Fernández wrote:

> > http://www.openldap.org/lists/openldap-devel/9810/msg00074.html
>
> I find the above link particularly interesting.  It makes sense and I
> was thinking about essentially the same, only was worried about giving
> the client certificate verification a meaning that was not warranted.

Yes; the meaning of SSL authentication is subtle.  I found it helpful to
read RFC 2222 (SASL), especially the EXTERNAL mechanism (7.4)
and this passage (from the Introduction and Overview):

   The transmitted authorization identity may be different than the
   identity in the client's authentication credentials.  This permits
   agents such as proxy servers to authenticate using their own
   credentials, yet request the access privileges of the identity for
   which they are proxying.  With any mechanism, transmitting an
   authorization identity of the empty string directs the server to
   derive an authorization identity from the client's authentication
   credentials.

What do you plan to implement?
Would you like to know what Netscape does?
Some relevant documentation is available, at
http://home.netscape.com/eng/server/console/4.0/help/5_secure.htm#1063316