Table of Contents
Advertisement
Is the issuing CA a trusted CA? Each SSL-enabled server maintains a list of
3.
trusted CA certificates, represented by the shaded area on the right side of
Figure K-3. This list determines which certificates the server will accept. If the
DN of the issuing CA matches the DN of a CA on the server's list of trusted
CAs, the answer to this question is yes, and the server goes on to Step 4. If the
issuing CA is not on the list, the client will not be authenticated unless the
server can verify a certificate chain ending in a CA that is on the list.
Administrators can control which certificates are trusted or not trusted within
their organizations by controlling the lists of CA certificates maintained by
clients and servers.
Does the issuing CA's public key validate the issuer's digital signature? The
4.
server uses the public key from the CA's certificate (which it found in its list of
trusted CAs in Step 3) to validate the CA's digital signature on the certificate
being presented. If the information in the certificate has changed since it was
signed by the CA or if the public key in the CA certificate doesn't correspond
to the private key used by the CA to sign the certificate, the server won't
authenticate the user's identity. If the CA's digital signature can be validated,
the server treats the user's certificate as a valid "letter of introduction" from
that CA and proceeds. At this point, the SSL protocol allows the server to
consider the client authenticated and proceed with the connection as described
in Step 6. Netscape servers may optionally be configured to perform Step 5
before Step 6.
Is the user's certificate listed in the LDAP entry for the user? This optional
5.
step provides one way for a system administrator to revoke a user's certificate
even if it passes the tests in all the other steps. The Netscape Certificate
Management System can automatically remove a revoked certificate from the
user's entry in the LDAP directory. All servers that are set up to perform this
step will then refuse to authenticate that certificate or establish a connection. If
the user's certificate in the directory is identical to the user's certificate
presented in the SSL handshake, the server goes on to step 6.
Is the authenticated client authorized to access the requested resources? The
6.
server checks what resources the client is permitted to access according to the
server's access control lists (ACLs) and establishes a connection with
appropriate access. If the server doesn't get to step 6 for any reason, the user
identified by the certificate cannot be authenticated, and the user is not allowed
to access any server resources that require authentication.
The SSL Handshake
Appendix K
Introduction to SSL
809
Advertisement
Table of Contents
Related Manuals for Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR
Related Products for Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - CUSTOMIZATION
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - PLUG-IN
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.01 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.0
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.1 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - AGENT GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - COMMAND-LINE
- Netscape NETSCAPE MANAGEMENT SYSTEM 6.2 - ADMINISTRATOR
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - CUSTOMIZATION GUIDE
- Netscape NETSCAPE MANAGEMENT SYSTEM 4.5 - PLUG-IN