"James A. Donald" <jamesd@echeque.com> writes:
-- On 3 Jun 2003 at 15:04, James A. Donald wrote:
I never figured out how to use a certificate to authenticate a client to a web server, how to make a web form available to one client and not another. Where do I start?
What I and everyone else does is use a shared secret, a password stored on the server, whereby the otherwise anonymous client gets authenticated, then gets an ephemeral cookie identifying him.. I cannot seem to find any how-tos or examples for anything better, whether for IIS or apache.
As a result we each have a large number of shared secret passwords, whereby we each log into a large number of webservers. Was this what the people who created this protocol intended?
Or to say the same thing in different words -- why can't HTTPS be more like SSH? Why are we seeing a snow storm of scam mails trying to get us to login to e-g0ld.com?
Because HTTPS is designed to let you talk to people you've never talked before, which is an inherently harder problem than allowing you to talk to people you have. -Ekr -- [Eric Rescorla ekr@rtfm.com] http://www.rtfm.com/