You are viewing a plain text version of this content. The canonical link for it is here.

Posted to users@tomcat.apache.org by Ja...@cardsetc.com on 2000/08/10 01:28:48 UTC

Re: SSL Authentication with J2EE

> And finally, what advantage, other than lack of login, would SSL as
> full, mutual authentication method, offer over form based authentication
> over a https connection?

Well, lack of login is a pretty strong advantage for many people.

Because of the crypto involved in mutual authentication, I believe you
defeat some man-in-the-middle attacks that are otherwise possible (albiet
with an enemy with large resources) when SSL has server auth only. Someone
else with better knowledge of crypto might be able to confirm this...

Also, there are many products out there that enable you to hold a
certificate on a secure token (ie. a smartcard) with software that
interfaces between the smartcard and web browser, enabling you to pick a
cert off your card and send it to a web server. Rather than having to
remember a login for each website you want to use (and of course, you will
end up using the same userid/password for each one - lower security but
higher chance of remembering it), you simply have to remember the PIN that
unlocks your smartcard. Depending on your setup, you might not even have to
provide a PIN, rather some kind of biometric that is held on the card (ie.
thumb print, retinal scan, etc, etc)

Take a look at the offerings of ActivCard (http://www.activcard.org) for an
example of these sorts of things.

Full disclosure: the firm I work for is in the business of smartcards as
well ;-)

Regards,
James W.

--------------------------------------------------------------------------
To read more about the Australian smart card industry visit
http://www.brw.com.au/stories/20000804/6630.htm
or
http://www.cardsetc.com/
--------------------------------------------------------------------------
This e-mail is from Cards Etc Pty Ltd (ACN: 069 533 302). It may contain
privileged and confidential information. It is intended for the named
recipient(s) only. If you are not an intended recipient, please notify us
immediately by reply e-mail or by phone on +61 2 9212 7773 & delete this
e-mail from your system.
--------------------------------------------------------------------------

Re: SSL Authentication with J2EE

Posted by Michael Rimov <ri...@centercomp.com>.

At 09:28 AM 8/10/2000 +1000, you wrote:
>Take a look at the offerings of ActivCard (http://www.activcard.org) for an
>example of these sorts of things.

James,

I tried the above link (and several spelling/ending variations) and 
couldn't get anywhere.  Could you check it for me?  Thanks!
                                                 -Mike