"Frank Millman" <[EMAIL PROTECTED]> writes: > > You also want to generate a client > > certificate to install on the server. > > Both you and Sybren are insistent that this is a necessary step, but I > confess I cannot see the need for it. The client is lightweight, and > authenticates itself to the server using a user id and password. What > is the worst that could go wrong?
The client cert approach isn't strictly necessary but it means that the SSL stack takes care of stuff that your application would otherwise have to take care of at both the client and the server side. If you don't generate a certificate, you have to generate a username and password instead, and manage that. There's still secret authenticating info on the client, so you haven't really decreased the client's responsibility. Also, if you need to go to a heavier-duty approach sometime, there's an industry making hardware devices (e.g. smart cards) that encapsulate keys and certificates so that the keys are very difficult to get access to. That improves security considerably. -- http://mail.python.org/mailman/listinfo/python-list
