Anders Rundgren <anders.rundg...@telia.com> wrote: > That's correct. But even if you send a stolen static cert req, you don't > get very far with that since if you haven't the private key you can't > use the returned cert anyway which I guess is why this function haven't been > much requested. > > I'm not sure what you had intended to use this function
My idea was to use it for authentications purpose. The SSL handshake only allows the client to authenticate against the web server. If you want to authenticate using certificate to another service for which the web server is just a proxy (a LDAP directory for which you have a web frontend is an example), you must have a privilegied web application. In order to make the web application unprivilegied, I had the idea of implementing a SASL plugin that would send a POP challenge to the browser. But perhaps there are alternatives? -- Emmanuel Dreyfus http://hcpnet.free.fr/pubz m...@netbsd.org -- dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto
