IIS Server Security - SSL/TLS Handshake Control of CertificateRequest message

This is Interesting: Free IT Magazines  
Home > Archive > IIS Server Security > January 2005 > SSL/TLS Handshake Control of CertificateRequest message





You are viewing an archived Text-only version of the thread. To view this thread in it's original format and/or if you want to reply to this thread please [click here]

Author SSL/TLS Handshake Control of CertificateRequest message
timktaylor

2005-01-20, 5:57 pm

SSL/TLS Handshake has a certificateRequest message (for client
authentication) that will prompt the browser for a certificate. Now
the Draft (SSL)/RFC2246 (TLS section 7.4.4) states that in the
CertificateRequest message the server may include a list of acceptable
(intermediate perhaps) CA's to define a specific authorization space.

After receiving a certificate from the client in response to a
certificate request SSL/TLS will perform validation (not out of date,
not a forgery, and, if configured, not revoked). During validation a
trust list of CAs is consulted to validate the certificate chain. Of
course here is where the trusted roots are mandatory.

My Problem
My organization has a Root CA which has subordinate (intermediate) CAs
of two different classes. I only want to accept certificates from one
of the subordinate CA classes. Mind you that both classes issue
RSA-signing certificates. This causes my end users, who have a
certificate from each of the two subordinate CA classes, to get
prompted to pick a certificate to authenticate with. I have good
reasons for needing to eliminate the selection prompt (user confusion,
CRL bandwidth use, etc). I want to pre-determine the certificate. The
spec states that the browser must return a NO CERTIFICATE message if
it cannot meet the certificate Request message criteria.

I have noticed that the certificate store on windows server has a
folder for trusted roots and one for intermediate CA's. Essentially,
there are two tasks in the handshake that certs serve; 1) verification
2) certificate request message.

I need to be able to specify which certificates to include in the
certificate request SSL/TLS handshake message so that I can make the
correct certificate the only one that is acceptable. The user doesn't
have to select(or ask support which one they should pick) and I only
need to handle half the CRLs I would otherwise. In doing so I will
specify intermediate certs for my specific authorization space rather
than any certificate issued by any CA signed by my root.

Does anyone know of a way (API or otherwise) to control
(configuration) the handshake certificate request message?

regards,
tt
Sponsored Links






Free braindumps | Software forum | Database administration forum

Copyright 2003 - 2008 webservertalk.com