Which of the following is more appropriate to use as an identification field in a database to represent a client, when two-way SSL authentication is used?
The client's X500Principal
OR
The thumbprint of the client's certificate
views:
31answers:
1
+2
A:
What is appropriate depends on what you are doing with the authentication information, but in general I would guess that you want to use the subject distinguished name (DN) which you can retrieve with the java.security.cert.X509Certificate.getSubjectX500Principal method.
The thumbprint will change when the certificate expires and the user renews it, but of course the user's identity will remain the same.
GregS
2010-10-21 23:20:45
Thanks. I'd be using it for authorization purposes. The server will, for example, keep a mapping of clients to operations, and refer to that list to determine whether a particular client is allowed to perform a certain operation. Will the Subject DN be unique enough for this purpose?
Hippo
2010-10-22 06:03:14
It should be unique, but you'll have to ask the certificate authority what they do in the case of two different people with identical names.
GregS
2010-10-22 10:51:13