Netscape MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR Administrator's Manual page 774

Certificates and Authentication
As shown in the next section, one of the advantages of certificate-based
authentication is that it can be used to replace the first three steps in Figure J-4 with
a mechanism that allows the user to supply just one password (which is not sent
across the network) and allows the administrator to control user authentication
centrally.
Certificate-Based Authentication
Figure J-5 shows how client authentication works using certificates and the SSL
protocol. To authenticate a user to a server, a client digitally signs a randomly
generated piece of data and sends both the certificate and the signed data across
the network. For the purposes of this discussion, the digital signature associated
with some data can be thought of as evidence provided by the client to the server.
The server authenticates the user's identity on the strength of this evidence.
Like Figure J-4, Figure J-5 assumes that the user has already decided to trust the
server and has requested a resource, and that the server has requested client
authentication in the process of evaluating whether to grant access to the requested
resource.
Figure J-5
Unlike the process shown in Figure J-4, the process shown in Figure J-5 requires the
use of SSL. Figure J-5 also assumes that the client has a valid certificate that can be
used to identify the client to the server. Certficate-based authentication is generally
considered preferable to password-based authentication because it is based on
wheat the user has (the private key) as well as what the user knows (the password
that protects the private key). However, it's important to note that these two
774 Managing Servers with Netscape Console • December 2001
Using a Certificate to Authenticate a Client to a Server