[Date Prev][Date Next]
Re: Preliminary TLS/SSL success
Julio Sánchez Fernández wrote:
> > http://www.openldap.org/lists/openldap-devel/9810/msg00074.html
> I find the above link particularly interesting. It makes sense and I
> was thinking about essentially the same, only was worried about giving
> the client certificate verification a meaning that was not warranted.
Yes; the meaning of SSL authentication is subtle. I found it helpful to
read RFC 2222 (SASL), especially the EXTERNAL mechanism (7.4)
and this passage (from the Introduction and Overview):
The transmitted authorization identity may be different than the
identity in the client's authentication credentials. This permits
agents such as proxy servers to authenticate using their own
credentials, yet request the access privileges of the identity for
which they are proxying. With any mechanism, transmitting an
authorization identity of the empty string directs the server to
derive an authorization identity from the client's authentication
What do you plan to implement?
Would you like to know what Netscape does?
Some relevant documentation is available, at