article

Action executed in 0.000

Client Certificate Verification

So someone around here is to lazy to pick up his/her cookie before leaving a comment on my site. They clear their cookies monthly. I don't want to have just a form where you put your name, email address, and website, because that could allow someone to impersonate another person. And i'd like to avoid forcing readers to have another passwords. So.

The solution presented itself while discussing the issue with Laura. Take advantage of SSL. Normally when you visit a commercial web site to make a purchase, you verify that you are really talking to that company, because they provide a certificate, and this cert is signed by a well known certificate (like Verisign) and your browser already trusts that cert.

But SSL is a two way authentication system. What i propose is the converse. When a reader wants to leave a comment on my site, they may provide their cert. If it's signed by a well known cert, great; if not then i'll need to verify it (it's fingerprint at least) somehow. This is a one time event.

When they come to the site with a cert that i eventually trust, i'll just let them post the comment. There's no need for a password. I may not even need to ask for their username.

I think it's about time my so called "security conscious" friends and i deploy such a system. Hehe, but does their canned blogging software have this ability?

What if my to-be commentators don't have certificates? Well then it's back to tokens over email, passwords, or posting anonymously.

Comments

Any Blog Software has that ability

tags:
Any blog software run on an SSL capable server/host can have that cabability, it's super easy with mod_ssl. Unfortunately, I only have one host with SSL enabled, and since I do name based virtual hosting, it isn't happening on mine anytime soon.
On the other hand, I'm currently writing a plugin for Wordpress at work which can use S/MIME to send/receive e-mails. It's really easy in most languages, and I think you're using Java - look into the X509 classes and methods, they have exactly what you need.
parent post: Client Certificate Verification
notify me: yes

Post a Comment

* indicates a required field
anonymous (If you want to identify yourself, please sign in first.)
required This field is required.

Max size is 2 MB, aspect ratio 3:4 width:height
required This field is required.
Please include a short description.
required This field is required.

480 characters remaining.
is public

(Use this field if you have to. 3000 characters remaining.)
1 quarter, 1 penny, 2 nickels + 100

Trackback URL

http://derocher.org/~brian//trackback.php?ParentId=1799

form