@bensummers Might you be able to help @dsilverstone out with this problem? blog.digital-scurf.org/2012/… (As you’ve done things with SSL before…)
1
@jogbert @dsilverstone Should be possible, but you'll be fighting infrastructure all the way. Make a CA for client, sign client certs.
1
@bensummers @jogbert Thanks for the encouragement. Not sure how I can generate the client cert without access to the client's private key :(
2
@dsilverstone @jogbert But ask a real cryptographer, not just someone who plays one on the twitters.
1
@bensummers everything comes back to the private key :(
1
@dsilverstone That’s why your *user* needs to generate the self-signed cert for SSL client cert. On server, check public key matches, not CA
1
@bensummers yeah. I was hoping to do everything from the public key. Accursed certificates.
1
@dsilverstone You can't auth with a public key because it's public!
2
Replying to @dsilverstone
@dsilverstone ssh server has the public key. Client proves to the server it has the matching private key, without actually sending it.
Replying to @dsilverstone
@dsilverstone So it's the private key which authenticates. You can publish your public key without compromising your security.
Replying to @dsilverstone
@dsilverstone So to achieve your objective you need to transform the large numbers comprising the keys into the SSL equivalent: cert & keys.