On 1/10/19 11:00 AM, Michael Wojcik wrote:
From: openssl-users [mailto:openssl-users-bounces@xxxxxxxxxxx] On Behalf Of Jordan Brown
Sent: Thursday, January 10, 2019 11:15
On 1/9/2019 6:54 PM, Corey Minyard wrote:
2. Set the userid in the certificate and use client authentication to
authenticate the user logging in. Set the username in the CN field
of the certificate so it can't be changed, extract that and set the
CA before verification. This is what I'm currently trying to do,
and I keep running into roadblocks.
Why do you think you need to set the CA?
Agreed. That's an odd requirement.
Thanks for the responses.
It is unusual, perhaps, but I'm trying to implement something like ssh
does. I can't expect users of ser2net to obtain certificates from a
real certificate authority, that's too high a barrier for entry. I want
them to be able to generate a key pair, put the public key on the server
in their account, and authenticate against that.
It's a balance of getting reasonable security that people will actually use.
-corey
--
openssl-users mailing list
To unsubscribe: https://mta.openssl.org/mailman/listinfo/openssl-users
