[Owasp-ireland] client-side ssl certs?

Eoin eoin.keary at owasp.org
Thu Aug 11 12:32:43 EDT 2011


How about 2 layer auth, two passwords where the second one is asked only when the first is correct? No certs but a little better than user/pswd


 

On 11 Aug 2011, at 17:04, John Marmelstein <john.marmelstein at gmail.com> wrote:

> Hi Folks,
> How is everyone? It’s been a bit quiet!
> 
> Anyway, might anyone have thoughts or experience on client-side ssl certs?
> 
> I am making a web app. I need some form of user authentication. I’m
> thinking I need to go a bit better than just having username/password
> for access control. What options are out there? It's for a
> public-sector thing. My hesitation with username/password access
> control is that the credentials might just get passed around.
> 
> I guess that client-side certs are the answer. But, there will be
> about 2000 users. These are low-tech users, distributed  around
> Ireland. On their personal (ie not standardized) browsers/operating
> systems. So I can’t call around to them all doing the certificate
> installs. I’m not optimistic about asking this user population to do
> it themselves.
> 
> Any opinions ?
> Maybe it boils down to saying that I either have to
> use username/password
> or, accept the large effort of generating, installing and managing the certs?
> Is there a good way to generate, install and manage certs?
> 
> Thanks!
> JM
> 
> 
> -- 
> John Marmelstein
> 087 136 0045
> _______________________________________________
> Owasp-ireland mailing list
> Owasp-ireland at lists.owasp.org
> https://lists.owasp.org/mailman/listinfo/owasp-ireland


More information about the Owasp-ireland mailing list