preventing client certs to be used by multiple users??

preventing client certs to be used by multiple users??

am 31.08.2005 23:37:03 von Conrad Friedrich

Hello,
Is there a way to prevent users (that got a client ssl-certificate (pkcs12)
for accessing my server) from giving their certs away to others and in that
way enabling "unwanted" users access to my site?
Or if there is no elegant solution, maybe someone knows how apache (or a log
analyzer etc.) can inform me if two different IPs have tried to connect
simultaneously using the same certificate?

Many thanks
Conrad Friedrich
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org

Re: preventing client certs to be used by multiple users??

am 01.09.2005 00:04:34 von Cliff Woolley

On 8/31/05, Conrad Friedrich wrote:
> Is there a way to prevent users (that got a client ssl-certificate (pkcs1=
2)
> for accessing my server) from giving their certs away to others and in th=
at
> way enabling "unwanted" users access to my site?

The client certificate acts as the user's identity. If the user gives
away his/her identity or the identity is stolen, then someone else can
authenticate to the server using that identity, and that's just the
way it is. This is no different than a username/password means of
establishing user identity, really, except that the user has perhaps
better ways to protect a client certificate than he does a
username/password. If the user intentionally gives away the
certificate, there's nothing you can do about it.

> Or if there is no elegant solution, maybe someone knows how apache (or a =
log
> analyzer etc.) can inform me if two different IPs have tried to connect
> simultaneously using the same certificate?

I haven't seen any such tool but that doesn't mean there isn't one out
there. Anybody else heard of such a thing?

--Cliff
____________________________________________________________ __________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List modssl-users@modssl.org
Automated List Manager majordomo@modssl.org