Paul Rubin enlightened us with:
> The client cert approach isn't strictly necessary but it means that
> the SSL stack takes care of stuff that your application would
> otherwise have to take care of at both the client and the server
> side.
Indeed. I always try to take the route of the least wheels I have to
invent. If a group of security specialists have already looked at such
a mechanism, why should I reinvent another?
> If you don't generate a certificate, you have to generate a username
> and password instead, and manage that. There's still secret
> authenticating info on the client, so you haven't really decreased
> the client's responsibility.
And on top of that, using passwords the secret information is sent
over the network.
Sybren
--
The problem with the world is stupidity. Not saying there should be a
capital punishment for stupidity, but why don't we just take the
safety labels off of everything and let the problem solve itself?
Frank Zappa
--
http://mail.python.org/mailman/listinfo/python-list
