The SSL Handshake
Appendix
K
Introduction to SSL
809
3.
Is the issuing CA a trusted CA?
Each SSL-enabled server maintains a list of
trusted CA certificates, represented by the shaded area on the right side of
Figure K-3. This list determines which certificates the server will accept. If the
DN of the issuing CA matches the DN of a CA on the server’s list of trusted
CAs, the answer to this question is yes, and the server goes on to Step 4. If the
issuing CA is not on the list, the client will not be authenticated unless the
server can verify a certificate chain ending in a CA that is on the list.
Administrators can control which certificates are trusted or not trusted within
their organizations by controlling the lists of CA certificates maintained by
clients and servers.
4.
Does the issuing CA’s public key validate the issuer’s digital signature?
The
server uses the public key from the CA’s certificate (which it found in its list of
trusted CAs in Step 3) to validate the CA’s digital signature on the certificate
being presented. If the information in the certificate has changed since it was
signed by the CA or if the public key in the CA certificate doesn’t correspond
to the private key used by the CA to sign the certificate, the server won’t
authenticate the user’s identity. If the CA’s digital signature can be validated,
the server treats the user’s certificate as a valid “letter of introduction” from
that CA and proceeds. At this point, the SSL protocol allows the server to
consider the client authenticated and proceed with the connection as described
in Step 6. Netscape servers may optionally be configured to perform Step 5
before Step 6.
5.
Is the user’s certificate listed in the LDAP entry for the user?
This optional
step provides one way for a system administrator to revoke a user’s certificate
even if it passes the tests in all the other steps. The Netscape Certificate
Management System can automatically remove a revoked certificate from the
user’s entry in the LDAP directory. All servers that are set up to perform this
step will then refuse to authenticate that certificate or establish a connection. If
the user’s certificate in the directory is identical to the user’s certificate
presented in the SSL handshake, the server goes on to step 6.
6.
Is the authenticated client authorized to access the requested resources?
The
server checks what resources the client is permitted to access according to the
server’s access control lists (ACLs) and establishes a connection with
appropriate access. If the server doesn’t get to step 6 for any reason, the user
identified by the certificate cannot be authenticated, and the user is not allowed
to access any server resources that require authentication.
Содержание Certificate Management System 6.1
Страница 1: ...Administrator s Guide Netscape Certificate Management System Version6 1 February 2003...
Страница 28: ...Documentation 28 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 68: ...Support for Open Standards 68 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 82: ...Uninstalling CMS 82 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 166: ...How a Registration Manager Works 166 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 382: ...ACL Reference 382 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 566: ...Managing Policy Plug in Modules 566 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 710: ...1 3 Organization Security Policies 710 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 716: ...Object Identifiers 716 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 762: ...DNs in Certificate Management System 762 Netscape Certificate Management System Administrator s Guide February 2003...
Страница 794: ...Managing Certificates 794 Managing Servers with Netscape Console December 2001...
Страница 810: ...The SSL Handshake 810 Managing Servers with Netscape Console December 2001...
Страница 828: ...828 Netscape Certificate Management System Administrator s Guide February 2003...