Originally Posted by
anomie
I'm not sure. But it may be that I am not understanding your idea:
If your goal is client authentication (i.e. the client is going to sign a random string from the server), how will public key distribution help anyway? You need to have a secure way to distribute secret keys (i.e. private keys) to the clients, right?
OK, my idea is this
Code:
+-------+ +------+
| P |<--->| U |
+-------+ +------+
^
|
\/
+-------+
| WA |
+-------+
P is the proxy (say on port 8383)
WA is a web application (say a wiki on port 80)
P and WA are on the same machine running apache and whose name is www.example.com
The user (U) points his browser to www.example.org:8383 and gets a mask asking for a e-mail address and a field where the user crypt a random text (supplied by P) with the secret key of that email address.
If the same text crypted by P using the public key is equal to the one given from the user, the user is authorized to access WA via port 8383.
(WA accepts only localhost request, so anybody has to go thought the proxy and not directly to WA.)
(Details: P looks for the public key on a certain key server and it has to generated from more than n days.)
Bookmarks