[VW 7.9} When will client authentication be supported?

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

"Terry Raymond"<[hidden email]> wrote:
> Date: July 16, 2012 11:33:44 AM
> "Currently there are two notable limitations compared to the previous
> implementation. First, client authentication is not supported yet."
>
> How soon will support for client authentication be available?

The hope is to have it ready for 7.10. I'm curious though, this is the first time I hear of anyone actually requiring this feature of the protocol. Generally client authentication is rarely used due to requiring the client to have its own certificate, which is often prohibitively complex to manage in configurations where there are multiple clients (which is the case more often than not). I was actually wondering if it's even worth supporting, because it does complicate the protocol implementation in non-trivial ways.

Can you say more about how you're using it, what is your deployment setup? How do you validate the client certificate on the server side?

Anyone else out there that finds this feature useful?

Thanks,

Martin

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

Martin,

I hadn't noticed this when I was looking at 7.9 and while I can agree
that it's a rare beast to see in the wild, it does happen and we had one
notable partner that required it, for which we used the below form,

| cl resp|
cl := (HttpClient new)
        useSecureConnection;
        yourself.
cl sslContext rsaSigningCertificatePair: (Array with: (Array with: self
certificate) with: self key).
resp := cl post: url contents: document.
...

HTH,

-Boris


-----Original Message-----
From: [hidden email] [mailto:[hidden email]] On
Behalf Of [hidden email]
Sent: Monday, July 16, 2012 1:03 PM
To: Terry Raymond
Cc: VWNC
Subject: Re: [vwnc] [VW 7.9} When will client authentication be
supported?

"Terry Raymond"<[hidden email]> wrote:
> Date: July 16, 2012 11:33:44 AM
> "Currently there are two notable limitations compared to the previous
> implementation. First, client authentication is not supported yet."
>
> How soon will support for client authentication be available?

The hope is to have it ready for 7.10. I'm curious though, this is the
first time I hear of anyone actually requiring this feature of the
protocol. Generally client authentication is rarely used due to
requiring the client to have its own certificate, which is often
prohibitively complex to manage in configurations where there are
multiple clients (which is the case more often than not). I was actually
wondering if it's even worth supporting, because it does complicate the
protocol implementation in non-trivial ways.

Can you say more about how you're using it, what is your deployment
setup? How do you validate the client certificate on the server side?

Anyone else out there that finds this feature useful?

Thanks,

Martin

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc

On 7/16/2012 7:03 PM, [hidden email] wrote:
> "Terry Raymond"<[hidden email]> wrote:
>>   First, client authentication is not supported yet."
Ouch, good catch.

>>
>>
>> The hope is to have it ready for 7.10. I'm curious though, this is the first time I hear of anyone actually requiring this feature of the protocol.

Our products use client certificates.

If 7.9 does not and will not support client cert validation for SSL that
would be a show-stopper for us moving to 7.9.
At the moment we are stuck on 771 (for reasons unrelated to Security),
if 7.9 is off limits too it will start to hurt us even more than it
already does (particularly because the SOAP stack is maturing
considerably since 771).

I'll escalate this issue on our side, perhaps this will result in
someone handing you resources to implement it before 7.10 ;-)


>>   Generally client authentication is rarely used due to requiring the client to have its own certificate, which is often prohibitively complex to manage in configurations where there are multiple clients (which is the case more often than not).

Attention! these are web-centric assumptions.

Let me remind you that VW is a popular 'give me a plain socket' fat
client & server programming environment, even since way before http
escaped CERN.


>>   I was actually wondering if it's even worth supporting, because it does complicate the protocol implementation in non-trivial ways.
For us it is a show-stopper if absent.

>>
>> Can you say more about how you're using it, what is your deployment setup? How do you validate the client certificate on the server side?

The certificate is embedded in the software (it somewhat authenticates
the software -- not the user).

In the below code
--we advertise encryption prior to turning it on,
--spsConnectionFor: creates our own variation of SSLConnection that does
not use ReadAppendStream (which had threading issues in the past).

[on 771]
addSecureClientConnectionForSocket: clientSocket

     | ec context externalConnection clientCertificateSubject |
     ec := clientSocket asExternalConnection.
     (ec writeStream)
         nextPutAll: 'SSL';
         flush.
     context := self createSSLContext.
     externalConnection := context spsConnectionFor: ec.
     clientCertificateSubject := self clientCertificateSubject.

     [externalConnection acceptSubject:
             [:dnd |
             dnd commonName = clientCertificateSubject commonName and:
                     [dnd organization = clientCertificateSubject
organization
                         and: [dnd organizationUnit =
clientCertificateSubject organizationUnit]]].
     true]
             on: Security.SSLNoCertificate
             do: [:ex | ex resignalAs: Error].
     ^externalConnection.



Reinout Heeck

_______________________________________________
vwnc mailing list
[hidden email]
http://lists.cs.uiuc.edu/mailman/listinfo/vwnc