• Post Reply Bookmark Topic Watch Topic
  • New Topic
programming forums Java Mobile Certification Databases Caching Books Engineering Micro Controllers OS Languages Paradigms IDEs Build Tools Frameworks Application Servers Open Source This Site Careers Other Pie Elite all forums
this forum made possible by our volunteer staff, including ...
Marshals:
  • Campbell Ritchie
  • Jeanne Boyarsky
  • Ron McLeod
  • Paul Clapham
  • Liutauras Vilda
Sheriffs:
  • paul wheaton
  • Rob Spoor
  • Devaka Cooray
Saloon Keepers:
  • Stephan van Hulst
  • Tim Holloway
  • Carey Brown
  • Frits Walraven
  • Tim Moores
Bartenders:
  • Mikalai Zaikin

HTTPS Client Authentication

 
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I've seen various questions online that talk about "HTTPS client Authentication". Is this talking about CLIENT-CERT?
 
Ranch Hand
Posts: 1325
Android Java Windows
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
This is Authenticaiton Mechanisms,

HTTPS is HTTP over SSL(Secure Socket Layer)
SSL is protocol is to ensure the privacy of sensitive data tansmitted over the internet.

yes it requires a certification form a certification authority, such as veriSign
 
David Bates
Ranch Hand
Posts: 32
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
...so that's a yes?

I understand HTTPS/SSL as transport layer encryption and CLIENT-CERT as authentication. I've never seen the phrase "HTTPS client Authentication" in any of my books.
 
Ranch Hand
Posts: 236
  • Mark post as helpful
  • send pies
    Number of slices to send:
    Optional 'thank-you' note:
  • Quote
  • Report post to moderator
I found this link using Google:
http://java.boot.by/wcd-guide/ch05s03.html

It discusses these web client authentication types:
  • HTTP Basic Authentication
  • HTTP Digest Authentication
  • HTTPS Client Authentication
  • Form Based Authentication

  • And under "HTTPS Client Authentication", it says

    End user authentication using HTTPS (HTTP over SSL) is a strong authentication mechanism. This mechanism requires the user to possess a Public Key Certificate (PKC) ...

    ...Client-certificate authentication is a more secure method of authentication than either BASIC or FORM authentication. It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates. Secure Sockets Layer (SSL) provides data encryption, server authentication, message integrity, and optional client authentication for a TCP/IP connection.


    PS:
    No, the certificate doesn't necessarily need to come from somebody like Verisign. You can easily create your own, self-signed certificates with puttygen (Windows), openssl (Linux) or many other tools.
    [ September 07, 2006: Message edited by: Paul Santa Maria ]
     
    Rancher
    Posts: 43081
    77
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    The term "HTTPS client Authentication" is odd. It mixes two things that don't really have anything to do with each other - authentication and encryption. HTTP authentication and HTTP encryption (i.e., HTTPS) are orthogonal concepts - they can be used together or eahc of them individually.

    HTTPS means using an encrypted connection; it requires the server to present a certificate in order to establish trust.

    Authentication can be achieved by various means, as pointed out before. One of those is CLIENT-CERT, which requires a personal certificate to be imported into the browser, and then sent to the server. Note that this is a different certificate than the one used with SSL/HTTPS (which is a server certificate).
     
    Paul Santa Maria
    Ranch Hand
    Posts: 236
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator
    Ulf -

    I think you're getting too hung up on the name.

    Yes, I agree that encryption and authentication are two different things.
    Furthermore, "authorization" ("Are you privileged to look at this web page?": which is, after all, the whole *point* of these 4 "authentication" types) is yet a third completely different thing.

    But provided we're all clear about what these terms actually mean, I'm OK with the name "HTTPS Client Authentication" ;-)
    [ September 08, 2006: Message edited by: Paul Santa Maria ]
     
    David Bates
    Ranch Hand
    Posts: 32
    • Mark post as helpful
    • send pies
      Number of slices to send:
      Optional 'thank-you' note:
    • Quote
    • Report post to moderator

    HTTP authentication and HTTP encryption (i.e., HTTPS) are orthogonal concepts - they can be used together or eahc of them individually.



    Thanks Ulf, that was exactly what was getting me confused. I came back to this thread to post what I had found in the Servlet Spec. In section SRV.12.5.4 (Page 95) it describes the various authentication methods (Basic, Digest, Form-based and HTTPS Client authentication).

    This means that what the HF book refers to as CLIENT-CERT authentication is referred to in the Spec as HTTPS Client authentication. I think future versions of this book (which is great, BTW) could go to slightly greater lengths to distinguish between:

    (i) HTTPS transport-level encryption (via <transport-guarantee> element).
    (ii) HTTPS-based authentication via client certificates.

    I still have a few questions though...


    Firstly, I just want to clarify part of Paul's quotation:

    End user authentication using HTTPS...requires the user to possess a Public Key Certificate (PKC).

    ...It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates.



    Question: Why is the authentication of the client optional?


    Secondly, in the URL he references it shows an example DD for CLIENT-CERT with a <realm-name> element. However, in the Specification it says "The realm-name indicates the realm name to use in HTTP BASIC authentication." (Page 144). Is the spec being misleading here or is the example incorrect?


    Finally, Pauls says:

    No, the certificate doesn't necessarily need to come from somebody like Verisign. You can easily create your own, self-signed certificates with puttygen (Windows), openssl (Linux) or many other tools.



    As I understand it this will create a certificate, but will will not be a "trusted" certificate since it doesn't come from a Certificate Authority (CA). Is this correct?
     
    reply
      Bookmark Topic Watch Topic
    • New Topic