views:

278

answers:

1

Suppose you have a mutual SSL service, which in addition to the SSL, has application authentication. Thus, clients provide certificates (as well as servers), but the client request (e.g., REST request) also contains a username/password which the back-end application server authenticates with.

In terms of the "degree" of client authentication, it seems that there are multiple levels. One level (a) is simply for the client to provide a cert that is signed by a CA which is in the server CA store. Another obvious level (b) is for the server to enfore (a) plus ensure that the application credentials are correct. A third level (c) is to do (a) and (b) plus ensure that the client cert is uniquely associated with the account.

The benefit of (c) is thet it prevents someone who is trusted by a "trusted CA" to abuse an application password illegally obtained.

I realize this is all very unlikely, but I am wondering to what extent (c) is assumed to be part of mutual SSL, versus simply (a) or (b)?

+1  A: 

Yeah, I was thinking about something similar.

One thing that you can do is give your application a separate truststore that does not contain any CAs. This way you can just give access to clients with self-signed certificates that you have authorized.

sixtyfootersdude