On Monday 19 July 2004 17.43, Frantisek Dufka wrote:[...]
Pound will check your client certificates, but you are mixing up two separate
- Pound can verify the validity of the certificate presented by the client: it
can be used to allow only clients that present a certificate, or only clients
that present certificates issued by certain CAs.
- The above has nothing to do with identification: the fact that your client
presents a certificate does not tell you who it actually is.
If the above checks are enough for you then you are set. If your application
asks the users for a password the problem is solved, otherwise you will need
to modify the application - it should either look at the X-SSL-* headers or
do basic authentication (which would go through HTTPS). Only you can decide
what the security requirements are.[...]