HTTP authentication and HTTP encryption (i.e., HTTPS) are orthogonal concepts - they can be used together or eahc of them individually.
Thanks Ulf, that was exactly what was getting me confused. I came back to this
thread to post what I had found in the
Servlet Spec. In section SRV.12.5.4 (Page 95) it describes the various authentication methods (Basic, Digest, Form-based and HTTPS Client authentication).
This means that what the HF book refers to as CLIENT-CERT authentication is referred to in the Spec as HTTPS Client authentication. I think future versions of this book (which is great, BTW) could go to slightly greater lengths to distinguish between:
(i) HTTPS transport-level encryption (via <transport-guarantee> element).
(ii) HTTPS-based authentication via client certificates.
I still have a few questions though...
Firstly, I just want to clarify part of Paul's quotation:
End user authentication using HTTPS...requires the user to possess a Public Key Certificate (PKC).
...It uses HTTP over SSL, in which the server and, optionally, the client authenticate one another with Public Key Certificates.
Question: Why is the authentication of the client
optional?
Secondly, in the
URL he references it shows an example DD for CLIENT-CERT with a <realm-name> element. However, in the Specification it says "The realm-name indicates the realm name to use in HTTP BASIC authentication." (Page 144). Is the spec being misleading here or is the example incorrect?
Finally, Pauls says:
No, the certificate doesn't necessarily need to come from somebody like Verisign. You can easily create your own, self-signed certificates with puttygen (Windows), openssl (Linux) or many other tools.
As I understand it this will create a certificate, but will will not be a "trusted" certificate since it doesn't come from a Certificate Authority (CA). Is this correct?