-- On 3 Jun 2003 at 15:04, James A. Donald wrote:
I never figured out how to use a certificate to authenticate a client to a web server, how to make a web form available to one client and not another. Where do I start?
What I and everyone else does is use a shared secret, a password stored on the server, whereby the otherwise anonymous client gets authenticated, then gets an ephemeral cookie identifying him.. I cannot seem to find any how-tos or examples for anything better, whether for IIS or apache.
As a result we each have a large number of shared secret passwords, whereby we each log into a large number of webservers. Was this what the people who created this protocol intended?
Or to say the same thing in different words -- why can't HTTPS be more like SSH? Why are we seeing a snow storm of scam mails trying to get us to login to e-g0ld.com? --digsig James A. Donald 6YeGpsZR+nOTh/cGwvITnSR3TdzclVpR0+pr3YYQdkG QtiFX0Q654gHh54NAMlLGE1FGDveixyzL0ZnAOVS 4hprBkT1zeYk/HdBOXiquwvz5vLUwF/21wW1Jf411 --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com