Question

Suppose you have a mutual SSL service, which in addition to the SSL, has application authentication. Thus, clients provide certificates (as well as servers), but the client request (e.g., REST request) also contains a username/password which the back-end application server authenticates with.

In terms of the "degree" of client authentication, it seems that there are multiple levels. One level (a) is simply for the client to provide a cert that is signed by a CA which is in the server CA store. Another obvious level (b) is for the server to enfore (a) plus ensure that the application credentials are correct. A third level (c) is to do (a) and (b) plus ensure that the client cert is uniquely associated with the account.

The benefit of (c) is thet it prevents someone who is trusted by a "trusted CA" to abuse an application password illegally obtained.

I realize this is all very unlikely, but I am wondering to what extent (c) is assumed to be part of mutual SSL, versus simply (a) or (b)?

Answer 1

Yeah, I was thinking about something similar.

One thing that you can do is give your application a separate truststore that does not contain any CAs. This way you can just give access to clients with self-signed certificates that you have authorized.

Answer 2

I ll assume that by "mutual SSL" you mean TLS v1.0, 1.1, or 1.2 with both server and client certificate-based authentication, and by "part of mutual SSL" you mean part of the TLS specification.

Using this interpretation, only (a) is part of mutual SSL. The TLS specification includes sharing the certificate with an SSL handshake message. It does not include username/password checks or checking the SSL cert against an account.

友情链接