IE only lets you select from certificates that have a root CA in common with the server certificate. This is independent of the web server platform. The web server presents its certificate as part of the SSL handshake, so IE does know the issuing CA from the certification path.
Bart... -----Original Message----- From: Ohaya [mailto:[EMAIL PROTECTED] Sent: 05 September 2003 01:26 To: [EMAIL PROTECTED]; [EMAIL PROTECTED] Subject: Long - Some questions about SSL, Client Authentication... Hi, I'm new here, and have been "experimenting" with SSL and client authentication and certificates. My current setup is using IE6 and IIS under Win2003 Server, but I have some general questions about SSL and client authentication/certificates that I'm quite puzzled about. I haven't been able to find a good place to discuss this, but I hope that someone here can help!! So far, I've gotten the above (IE and IIS) setup working and talking to each other, with a server certificate installed on the IIS and several client certificates (with different user names) installed on IE. These certs were created using Certificate Server on the Win2003 box. I've read through the SSLV3 protocol doc, etc., and I guess that my main question is when client authentication occurs under SSL, what, exactly, does a successful client authentication "mean"? In reference to this, I'm looking at: http://support.microsoft.com/default.aspx?scid=kb;EN-US;257586 which has a very detailed explanation of the steps that the server actually takes when "authenticating a client", in steps 3 and 4 of the above page in particular. For example, assuming that steps 3 and 4 are successful, can the server really be assured that the DN in the client certificate "accurately" identifies the person who is using the client/IE (i.e., that the person using the client is the person named in the DN of the client certificate)? One final question... This one may be specific to the behavior of IE, but I'm not sure: 1) I have one server certificate installed in IIS, which I created when I did the Certificate Server installation. 2) In my IE browser, I have two client certificates that I generated and installed using my Certificate Server, i.e., these 2 client certs have the same root as the root for the server cert in IIS. 3) In my IE browser, I also have a 3rd client certificate, which I got as a free trial from: http://www.globalsign.net/digital_certificate/personalsign/index.cfm 4) All 3 of these client certificates are displayed in IE when I do Tools->Internet Options->Content->Certificates Now the question: When I point my IE browser to my IIS with the "https://"; URL, IE pops up a window asking me which client cert I want to use. BUT, this window only displays the 2 client certs that I created using Certificate Server. The GlobalSign cert isn't listed! The reason that I was trying this last "experiment" was I was wondering what would happen if I tried to connect to a server that had a server cert issued by one CA (my Certificate Server), using IE and a client cert from a different CA (GlobalSign)? Does anyone know why IE doesn't show/list the GlobalSign client cert? >From what I've read in the SSL protocol doc, it doesn't appear that the server sends the browser a list of "valid" CAs, so how or why does IE "know" not to list the GlobalSign client cert? Does anyone know the answer to the last question? If a browser (e.g., maybe Netscape) were to show all 3 client certs and not "filter" out the GlobalSign client cert, would the SSL client authentication have then failed? And, why? Again, my apologies in advance... Jim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
