Fwiw, For client authentication we ask our clients to send us a Certificate Signing Request for the keypair they want to use, and we sign them using our internal Client Authentication CA. We set the CN and other options to what we want for our systems to authorize them correctly, and then send the client the resulting certificate back.
We never see their private key, and we have full control of validity of their certificate (revocation and expiration). On Fri, Aug 30, 2019, 10:15 Charles Mills <charl...@mcn.org> wrote: > Andrew, that's a good thought. I'm not knowledgeable enough to tell > whether it is perfect from a cryptographic point of view or not. > > FWIW though, that is not how X.509 standard client authentication works. > It works the way I described, in accordance with RFC 5246 7.4.6. > > Passwords work, and are obviously THE most common form of client > authentication. I think a primary usage of client certificate > authentication is with unattended processes. (Think z/OS jobs!) There is no > one available to key in a password, and passwords stored in files make the > auditors very cranky. > > Charles > > > -----Original Message----- > From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On > Behalf Of Andrew Rowley > Sent: Thursday, August 29, 2019 6:38 PM > To: IBM-MAIN@LISTSERV.UA.EDU > Subject: Re: vendor distributes their private key > > On 29/08/2019 9:18 am, Charles Mills wrote: > > > But for certificate-based client authentication, the server admin must > send the client admin a client certificate AND its private key. Why? > Philosophically, because a client certificate signed by a trusted CA does > not prove the authenticity of the client. A man-in-the-middle might have > previously intercepted the certificate and now be sending it out from HIS > client as its own. > > This doesn't sound right somehow. I suspect it is often implemented that > way, but it sounds worse than password authentication with a good password. > > ---------------------------------------------------------------------- > For IBM-MAIN subscribe / signoff / archive access instructions, > send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN > ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
