自动生成用于SSL的网站“令牌”,以便在用户首次访问Apache2服务器时对其进行身份验证
[英]Automatic generation of a website “token” for SSL authenticate on user's first visit on an Apache2 server
问题描述
TLDR: I'm looking for a software based two-factor authentication system. 
TLDR:我正在寻找一个基于软件的两因素身份验证系统。
Summary: I am trying to find a solution equivalent to a SSL client side certificate, except that said certificate would optimally be generated at the first connection of the browser to the server. 简介:我正在尝试寻找一种等效于SSL客户端证书的解决方案,除了该证书最好在浏览器与服务器的第一次连接时生成。
Long version: I want to automatically generate a security token using a PKCS#11 style authetication system so that when a user uses a certain login-code to a website, that computer can always connect to the user's page (without requiring a username). 长版:我想使用PKCS#11样式身份验证系统自动生成安全令牌,以便当用户在网站上使用特定登录代码时,该计算机始终可以连接到用户页面(无需用户名)。
I also cannot require PKCS#12 style certificates which require 5-10 steps to install in a client's browser, especially as that certificate installation may be locked down. 我也不能要求PKCS#12样式的证书,该证书需要5-10个步骤才能在客户端的浏览器中安装,特别是因为证书安装可能已锁定。 The goal of this request is to explore the ability for a browser to provide authentic two-factor authentication in a seamless fashion. 该请求的目的是探索浏览器以无缝方式提供可靠的两因素身份验证的能力。 At present, it seems only sun is talking about PKCS#11 and browser support for client side certs is difficult to explain quickly. 目前,似乎只有sun在谈论PKCS#11,并且浏览器对客户端证书的支持很难快速解释。
As a caveat, talking about a browser-internal PKCS#11 may be incorrect, or may be a function of PKCS#15. 请注意,谈论浏览器内部的PKCS#11可能是错误的,或者可能是PKCS#15的功能。 I suspect I'm not asking the right question here. 我怀疑我不是在这里问正确的问题。 Any suggestions would be appreciated. 任何建议,将不胜感激。
1 个解决方案
解决方案1
1 2010-02-03 04:38:30
You probably mean the KEYGEN tag that generates a key pair on via browser and places the end result in some software store, as you want to generate software certificates on the fly. 您可能是想说KEYGEN标签 ,该标签通过浏览器在其上生成密钥对,并将最终结果放置在某些软件商店中,因为您想即时生成软件证书。
Keygen has several problems and shortcomings, like you can't enforce a PIN/password policy and thus have the two-factor properties, and is in fact not a real standard and does not work everywhere. Keygen存在一些问题和缺点,例如您无法实施PIN /密码策略并因此具有两因素属性,并且实际上不是真正的标准并且不能在任何地方使用。
PKCS#15 is totally out of topic here as it deals with a filesystem format on the smart card that is hidden way below the browser/https/crytpoapi layer. PKCS#15在这里完全没有主题,因为它处理智能卡上的文件系统格式,该格式隐藏在浏览器/ https / crytpoapi层下方。
PKCS#11 only matters with Firefox as IE and Safari both use native platform certificate stores and APIs (CryptoAPI and CDSA/Keychain respectively) internally. PKCS#11仅与Firefox有关,因为IE和Safari都在内部使用本机平台证书存储和API(分别为CryptoAPI和CDSA / Keychain)。
声明:本站的技术帖子网页,遵循CC BY-SA 4.0协议,如果您需要转载,请注明本站网址或者原文地址。任何问题请咨询:yoyou2525@163.com.