Skip site navigation (1)Skip section navigation (2)
Date:      Sun, 24 Mar 2013 01:16:33 -0700
From:      Doug Hardie <bc979@lafn.org>
To:        CeDeROM <cederom@tlen.pl>
Cc:        "freebsd-questions@freebsd.org List" <freebsd-questions@freebsd.org>
Subject:   Re: Client Authentication
Message-ID:  <85D3DEE2-3E4E-4B68-87B0-6B946F15581C@lafn.org>
In-Reply-To: <CAFYkXjmc47oaCkMMF40oNM3Zsk=L1x6HeyUhYY2pRMfgKf-UZg@mail.gmail.com>
References:  <B2DC7342-9F1A-489A-94F0-49802B1E5DF6@lafn.org> <CAFYkXjmc47oaCkMMF40oNM3Zsk=L1x6HeyUhYY2pRMfgKf-UZg@mail.gmail.com>

Next in thread | Previous in thread | Raw E-Mail | Index | Archive | Help

On 24 March 2013, at 01:03, CeDeROM <cederom@tlen.pl> wrote:

> Why don't you just use PKI for authentication (you can generate your
> own certificates)? You can easily upload keys/certificated to client
> machines (PC, Android, Apple, ...). That should work :-)
>=20

Thats exactly what I have been testing.  Its easy in concept, but there =
are issues in the details.  Once the certificate is loaded in a Mac and =
the password entered, its available for anyone to use thereafter.  You =
actually have to remove the certificate from the keychain to disable it. =
 Not a great approach for shared computers.  Most users will not know =
how to remove it properly.  I don't know about PCs yet though.  In =
addition there are possible issues with mail clients.  I have not tried =
them yet.  It all depends if they can handle p12 format certificates.  =
Pem format certificates must have the private key in plain format which =
renders them completely insecure.

Then there still is the issue about Safari (at least) not handling the =
no certificate case properly.

-- Doug




Want to link to this message? Use this URL: <http://docs.FreeBSD.org/cgi/mid.cgi?85D3DEE2-3E4E-4B68-87B0-6B946F15581C>