Community technical support mailing list was retired 2010 and replaced with a professional technical support team. For assistance please contact: Pre-sales Technical support via email to sales@march-hare.com.
Charles Oram wrote: > So if I install the user's self-signed certificate on the server, isn't > that just giving the server the user's public key so that the server can > authenticate the user? OK, I don't have the full chain of trust that you > have with signed certificates, but you need more than a username and > password to login to CVS then. That's not how SSL works - you create a local CA, then issue certificates from that CA to your clients. The server then knows it can trust the certificate as it was issued from its own (trusted) CA. You'd have to issue the ca.pem for your local CA of course... This not only allows you to control which clients can connect, but you can control things like the expiration date and revoke old clients easily. I know of no implementations that work as you suggest - the whole point of signing is you don't need huge databases of valid clients.. you'd end up with login time sucking as it'd have to compare every public key it knew about with the supplied one (that's even if it's possible to implement such a scheme in SSL.. you might not be able to get the presented keys & convert them into a useful format anyway). Tony