> My question is, how's a typical authentication delegation implemented
> using SSL? I can visualize a point-to-point authetication happening between
> the client and ServiceA. But, how can I control access to ServiceB's
> resources by ServiceA unless ServiceA is acting on behalf of a authorised
> user? Surely, I dont want ServiceA to know the clients Private key....
Assuming
Client <--> Service A <--> Service B
I don't believe you can do this with straight SSL. You will have to
build some extra security protocol on top of, underneath, or "next to"
it. Simplest is to define a protocol where A can say "treat me like you
would the Client" and B is configured to allow A to do arbitrary
impersonation. You might be able, with participation of the Client, have
A play a man-in-the-middle game.
This is really one of those places where it is important to understand
the subtlies of *transport* level security as opposed to end-to-end. :)
> Wonder how those CORBA ORB-s use SSL for security when delegation is
> involved.
Those who do it right add their own I&A (identification and authorization)
on top of SSL. There's a reason why (last time I looked) IIOP had its
own security payload.
/r$
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
