Date: Sun, 24 Mar 2013 01:16:33 -0700 From: Doug Hardie <bc979@lafn.org> To: CeDeROM <cederom@tlen.pl> Cc: "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org> Subject: Re: Client Authentication Message-ID: <85D3DEE2-3E4E-4B68-87B0-6B946F15581C@lafn.org> In-Reply-To: <CAFYkXjmc47oaCkMMF40oNM3Zsk=L1x6HeyUhYY2pRMfgKf-UZg@mail.gmail.com> References: <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAFYkXjmc47oaCkMMF40oNM3Zsk=L1x6HeyUhYY2pRMfgKf-UZg@mail.gmail.com>
next in thread | previous in thread | raw e-mail | index | archive | help
On 24 March 2013, at 01:03, CeDeROM <cederom@tlen.pl> wrote: > Why don't you just use PKI for authentication (you can generate your > own certificates)? You can easily upload keys/certificated to client > machines (PC, Android, Apple, ...). That should work :-) >=20 Thats exactly what I have been testing. Its easy in concept, but there = are issues in the details. Once the certificate is loaded in a Mac and = the password entered, its available for anyone to use thereafter. You = actually have to remove the certificate from the keychain to disable it. = Not a great approach for shared computers. Most users will not know = how to remove it properly. I don't know about PCs yet though. In = addition there are possible issues with mail clients. I have not tried = them yet. It all depends if they can handle p12 format certificates. = Pem format certificates must have the private key in plain format which = renders them completely insecure. Then there still is the issue about Safari (at least) not handling the = no certificate case properly. -- Doug
Want to link to this message? Use this URL: <https://mail-archive.FreeBSD.org/cgi/mid.cgi?85D3DEE2-3E4E-4B68-87B0-6B946F15581C>