Re: Re:non-repudiation

Thanks Robert for writing in.

I already have client authentication active for my specified folder.when ever a
user wants to access that folder they have to present their certificate...

my question was -

If i have a web site which requires users to logon with user id / password and
valid certificate..

how do i ensure that the certificate user "A" presents, with his user id and
password was issued to him and not to any other user....

it is possible that user "A" logs on to my web site with his user id/ password
but uses user "B" certificate... in such a case non-repudiation becomes
ill-logical.

because this link
http://httpd.apache.org/docs-2.0/ssl/ssl_howto.html#ToC6
only makes sense if there are few users.
I have 5,000 users accessing my site.

the flow goes like this

The first time user goes to my openca and requests for a certificate..
certificate is issued to the user.

The issued certificates are directly stored into my ldap..using ra interface.

the ldap now has user id, password and the certificate

my web site uses this ldap to authenticate the user and give access to the
site.

NOW IS SUCH A CASE HOW DO I GO ABOUT ENSURING NON-REPUDIATION.

REGARDS

SONU





__________________________________________________
Yahoo! - We Remember
9-11: A tribute to the more than 3,000 lives lost
http://dir.remember.yahoo.com/tribute
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

RE: Re:non-repudiation

> -----Original Message-----
> From: owner-modssl-users@modssl.org
> [mailto:owner-modssl-users@modssl.org] On Behalf Of Sonu Kishore
> Sent: 11 September 2002 06:38
> To: robert.hannemann@lrz.mi.lsa-net.de
> Cc: openca-users@lists.sourceforge.net; michael.bell@web.de;
> m.pala@mo.nettuno.it; modssl-users@modssl.org;
> madwolf@openca.org; openca-devel@lists.sourceforge.net;
> michael.bell@rz.hu-berlin.de
> Subject: Re: Re:non-repudiation

> how do i ensure that the certificate user "A" presents, with
> his user id and
> password was issued to him and not to any other user....
>
> it is possible that user "A" logs on to my web site with his
> user id/ password
> but uses user "B" certificate... in such a case
> non-repudiation becomes
> ill-logical.

When the user logs in, check that the userid matches a part of the
certificate eg the CN - if you have
SSLOptions +StdEnvVars
in your httpd.conf, then all the certificate details are available to
your dynamic login page in the ENVironment.

Your login logic can go something like this Perlish pseudo code:
[watch the wrapping]

$dbpasswd = md5($password . "\t" . $user . "\t" . $salt);
$sth = $db->execute("select * from user
where user='$user' and password='$dbpasswd'");
if ( $sth->record_count() == 1 ) {
if ( $ENV{SSL_CLIENT_S_DN_CN} ne $user ) {
goto("/login?error=Certificate: $ENV{SSL_CLIENT_S_DN_CN}
- Invalid, you must use your own certificate to login!");
}
goto("/authenticated")
} else {
goto("/login?error=Invalid User/Password");
}
goto("/login?error=System Error, please contact support");
}


____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: Re:non-repudiation

----- Original Message -----
From: "Sonu Kishore"
>
> it is possible that user "A" logs on to my web site with his user id/
password
> but uses user "B" certificate... in such a case non-repudiation becomes
> ill-logical.
======================
Try to use mod_authz_ldap http://authzldap.othello.ch/

it establish relations between certificates and passwords. So user with a
right certificate has to know the right password.


I tried to compile that module but I had problems at patching
ssl_engine_kernel.c Had some one more success?
======================


Best regards,
Ales Keber
ak@email.si



____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: [Openca-Users] Re: Re:non-repudiation

Is this a required modules to restrict certain sites/dir's access via
certificates. (apache 1.3.26)

I having trouble with SSLRequireSSL statements as presented on apache's howto
pages, (newby related I'm sure) I have not compiled this modules in nor am
I using it as a DHAVE object. Wondering if not having the module above could
be the cause.

Thanks,
Ron



On Wednesday 11 September 2002 09:23 am, Ales Keber wrote:
> ----- Original Message -----
> From: "Sonu Kishore"
>
> > it is possible that user "A" logs on to my web site with his user id/
>
> password
>
> > but uses user "B" certificate... in such a case non-repudiation becomes
> > ill-logical.
>
> ======================
> Try to use mod_authz_ldap http://authzldap.othello.ch/
>
> it establish relations between certificates and passwords. So user with a
> right certificate has to know the right password.
>
>
> I tried to compile that module but I had problems at patching
> ssl_engine_kernel.c Had some one more success?
> ======================
>
>
> Best regards,
> Ales Keber
> ak@email.si
>
>
>
>
>
> -------------------------------------------------------
> In remembrance
> www.osdn.com/911/
> _______________________________________________
> Openca-Users mailing list
> Openca-Users@lists.sourceforge.net
> https://lists.sourceforge.net/lists/listinfo/openca-users
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org