Certificate based login ( ADCS )
Create a method that allows dshub to create a certificate that clients can
use to authentify themselves into a hub. This has to be discussed with
client developers (if possible to reach a better agreement)
Blueprint information
Related branches
Sprints
Whiteboard
The first question that rises is : The client should use a certificate generated by the hub to login ( signed by the hub's private key ) , but this means a client will have more certificates for each registered hub. This doesn't mean the client's public key changes ( just that it has more certificates for the same key signed by different issuers ). The client should implement such a mechanism . And secondly, there should be an easy way to get the certificates from the hub to the clients. This could be done automatically or manually . Anyway, the client should have in it's favorites tab a field where the user could select what certificate to use for authentication with that specific hub.
I'm waiting for feedback from client developers if this is ok or not with their ideas...
After a long talk with Quicksilver ( UC dev ) , we've considered a new idea, at his suggestion, that simplifies all of our lives. Instead of the certificates signed by the hub, the hub will keep a list of authorized public keys. So the account will be on CID + public key. This eliminates the need for ANY change in the client. The hub will do everything. From my point of view, this is the best way to do it, and the issue is approved in this way. If anyone has other ideas I'm waiting for feedback. I will wait for a while then set this whiteboard for good to go. 12.12.2008
After talking to people on the java forums, I have come to the conclusion that having an authorized keys list is very annoying and presents many security flaws. Here is the full talk : http://
Now I am thinking that the first solution was better, perhaps a mixup of the two? Or something completely new? 30.12.2008
