SSL/TLS - am I doing it right?

Frank Millman frank at chagford.com
Wed Mar 15 04:27:38 EST 2006


Sybren Stuvel wrote:
> Michael Ekstrand enlightened us with:
> > clients aren't expected to have their own certificates. I think that
> > the only time you really need the clients to have certificates is
> > when the certificate *is* your authentication (e.g., in OpenVPN).
>
> Fact remains that a strong certificate is much more secure than
> letting people choose their own passwords.
>

I suppose it depends on your degree of paranoia (not that I want to
belittle paranoia - it is a healthy instinct in this context).

I was recommended to read O'Reilly's Network Security with OpenSSL. The
first chapter is available online -

http://www.oreilly.com/catalog/openssl/chapter/ch01.pdf

It is a 30 page introduction which explains the concepts fairly
thoroughly. After describing how a server sends a certificate and a
client validates it, it simply says "Although rare, the server can also
request a certficate from the client".

Obviously there are many different scenarios, but for my particular
one, user id and password is 'good enough'.

Frank




More information about the Python-list mailing list