3. This article describes the use of Digital Certificates as a
mechanism for strongly authenticating users to web sites
where identity information is required. Before the advent
of digital certificates the only option for authenticating
users to a site was to assign a username and password.
Digital certificates on the other hand provide for much
more robust access control and have a number of benefits
over username and password.
5. Using username and password the process is generally as
follows: each time a user wishes to access a web service
the user navigates to the site and authenticate themselves
to the application using unique username and password.
This data is passed to the server (hopefully in an
encrypted form), the application looks up the username
and the password (or a representation of the password) in
some form of access control list and provided the
information matches the user is granted access.
7. * The username and password are passed over the web
(encrypted or unencrypted) with the typical security
concerns of interception.
8. * The systems administrator normally has unrestricted
access to all usernames and passwords with associated
security and liability concerns for the service provider
(especially with confidential data)
9. * The user needs to remember as many usernames and
passwords as are required by their applications leading to
inevitable support issues to recover lost access data
12. The user navigates to the website. Before allowing access
it checks the certificate against the access database. The
user enters the password locally to confirming their access
right to the certificate and is allowed to the website.
20. All major web servers support client authentication via
certificates. An SSL certificate on the web server (to
support https) enables configuration of client
authentication and only requires specification of the
access rights for each directory served by the web server.
Amend the web application to support client
authentication by certificates. If any code was developed
to handle user name and password, then the certificate
credentials can be looked up in an access control list in just
the same way. Client certificates are issued via a Public
Key Infrastructure (PKI) You can choose implement your
own or use the services of a Managed Service Provider
such as Diginus Ltd.
22. Once customers or employees have digital certificates, the
same certificates can be used to digitally sign email, PDF
and web forms and Microsoft Word documents. With a
few small steps a corporate website can be transformed
into the centre of a powerful web services infrastructure,
with single sign on to multiple web applications, signed
email and forms data exchange, all the time knowing
exactly who is accessing the resources and data.