Subject | RE: [firebird-support] Tie X.509 certificate to username |
---|---|
Author | Alan McDonald |
Post date | 2007-07-09T14:35:58Z |
> On Mon, 2007-07-09 at 23:44 +1000, Alan McDonald wrote:but the certificate is used at the protocol level. access to FB is still via
> > > Just to explain why: Suppose that user A and user B both have a
> > > different, but valid certificate. They can both use their
> > certificate to
> > > connect to the server, but then use the username of the other user
> > to
> > > log in. I want to make sure that each user is connected with his/her
> > > specific certificate.
> > why do you give all your users the same password?
>
> Thanks for your reply. I guess my explanation could have been better. I
> meant to say: 'but then use the username/password of the other user to
> log in'.
>
> What I am trying to achieve is a strong authentication, based on
> 'something you have' and 'something you know'. Therefore, I'd like to
> use a certificate ('something you have') and a password ('something you
> know'). Alternatively, I can protect the certificate with a passphrase.
>
> In my application, I want to make sure that data from two users cannot
> be mixed up by any means, either due to a mistake, or on purpose.
>
> Koen
username and password, there's no way around that.
The certificates you hand out are only good for protecting the transport.
In short .. No FB does not know anything about how to handle certificates.
You need a proxy to do all that for you and the users still need to supply a
username (something they have) AND a password (something they know)
Alan