• Visitors can check out the Forum FAQ by clicking this link. You have to register before you can post: click the REGISTER link above to proceed. To start viewing messages, select the forum that you want to visit from the selection below. View our Forum Privacy Policy.
  • FREE workshop: Preparing contractors for Autumn : Weds 29th Sep at 7.15pm. More details here.

Digital Certificates and authentication

Collapse
X
  •  
  • Filter
  • Time
  • Show
Clear All
new posts

    Digital Certificates and authentication

    [warning : Ridiculously broad question follows.]

    Does anyone out there have experience of implementing the use of public digital certificates (i.e. issued by Verisign for example) in application authentication (web and thick client)? I'm interested in knowing whether it's a b*tch to do or whether there are lots of simple API's to plug into.

    I'm not a programmer (thank God ) so not interested in the technicalities at this stage, just the effort involved.

    TIA

    #2
    In short I'd yes it is not too much effort (in MS environment) if you know what you're doing.

    I think the difficulty depends entirely on your authentication method. I have dealt with Digitial Certificates used for authentication in the past (for web), and from what I remember the public key is passed in the http header which can then be extracted by the target server.

    One area I worked on was server to server authentication via a web service. It was just a matter of pointing a web request to the relevent .cer file and performing the request as per normal (ie it was technically very easy to accomplish, the difficulty I suppose was in the initial creation of the certificates used by my stub service for testing). It has been a while since I did it but I remember that my stub service with prompting for a digital certificate. I think that part is set up entirely in IIS.

    I am referring entirely to C#/.NET which natively supports the creation of a http request with X509 certificates attached.

    Comment


      #3
      Originally posted by Jaws View Post
      In short I'd yes it is not too much effort (in MS environment) if you know what you're doing.

      I think the difficulty depends entirely on your authentication method. I have dealt with Digitial Certificates used for authentication in the past (for web), and from what I remember the public key is passed in the http header which can then be extracted by the target server.
      Thanks Jaws. Is there a vast difference in the coding for different browsers/OS combinations? Also, any ideas of the responsiveness of the CA servers? Just curious how this scales up.

      Comment


        #4
        Originally posted by Tensai View Post
        Thanks Jaws. Is there a vast difference in the coding for different browsers/OS combinations? Also, any ideas of the responsiveness of the CA servers? Just curious how this scales up.
        I think the main issue is how the server is set up rather than the client, if the server is set up to require a certificate than as long as the client browser supports certificates at all it should be fine. I'm not aware of which browsers have this support and which don't although given that pretty much all of them support SSL the compatibility must be high.

        In terms of responsiveness of the CA servers, at least where I was before (although I may be wrong, and apologies if I am as this was not something I was directly involved with) our servers retrieved a file from the CA from the relevant servers at some interval (it may have been daily) and this was applied directly to the web server of the site - so the CA server did not have much of a bearing on overall authentication performance.

        Comment


          #5
          Originally posted by Jaws View Post
          ...our servers retrieved a file from the CA from the relevant servers at some interval (it may have been daily) and this was applied directly to the web server of the site - so the CA server did not have much of a bearing on overall authentication performance.
          Interesting. Kind of undermines the idea that a cert can be revoked instantaneously.

          Thanks for the info.

          Comment

          Working...
          X