[BEEPwg] TLS with mutual authentication

Dong Xin dxin@ncsa.uiuc.edu
Thu, 27 May 2004 10:44:40 -0500 (CDT)


Thanks a lot, Lei.
However, I am a new user of beepcore. It will be great if you can explain
more.

I think the RFC's mentioning of using serverName to specify server side 
> certificate is really not a good solution.  This is what I plan to do 
> for my BEEP implementation:
> 
> -  the server can take a command line option that points to a X.509 
> certificate

What is the "command line option", Is this command line option specified
in config files? what's the format of this specification?

> -  on the client side, in order to really verify the certificate, the 
> server certificate must be copied to the client machine, then the client 
> machine can take a command line option that points to this known 
> server-side certificate
> -  client starts TLS channel, SSL handshake starts, the server sends the 
> certificate and the client verifies it

why does the server need to send the certificate? Is a message signed by
a private key not enough?

> -  the client can take another command line option that points to a 
> local certificate; if this is specified, then client certificate will be 
> verified by server (the client-side certificate must be loaded on the 
> server machine as pre-requisite)
> 
> By doing this, it seems the only need for further authentication using 
> SASL would be access-control.
> 
> Sane?
> Lei
>

I do not know whether the  mutual authentication is already supported by
beepcore.tls or we have to implemented it in our application.

Thanks..
Dong