Is the following statement true or false?
If your DD correctly declares an authentication type of CLIENT_CERT, your users must have a certificate from an official source before they can use your application.
The answer is false while I think it should be true.
"your users must have a certificate from an official source before they can use your application. " Answer false is correct. Even if user do not have certificate. server will prompt certificate acceptance, so to access that application You do not need to have certificate prior. if I am not correct. let me know.
As per my understanding. When we make any website SSL encrypted . We do purchase valid certificate from some Vendor like Veri-sign which we configure on server, so as long as server has valid certificate. whenever any user try to access that site he will get client certificate if he does not have certificate before. please correct me if i am wrong.
"where the server provides a certificate to your browser. Depending on your browser's security settings, you generally see a dialog box asking whether or not you want to trust the certificate the server is offering you (we hope signed by Thawte, VeriSign, or whomever). If you accept, the transaction can continue, and the server's public key can be used to encrypt communications between you. So certificates provide the foundation for secure transport as well as dealing with the issue of identify.
"
"If your DD correctly declares an authentication type of CLIENT_CERT, your users must have a certificate from an official source before they can use your application. "
Client need to have certificate but necessarily from some Official source. Client can use self signed certificate with client get from browser. That's why 'false' would be right option for above question. if anybody have another opinion. let us know.