Hi Tom
The TLS Client cert verifies that the client device has use of the private key corresponding the client cert. When verified you have mutual authentication between the client device and the server device.
User name / password authenticates that hopefully a human knows the credentials.
These two techniques can be used separately or together.
Whenever, User name / password is used a TLS server connection is needed to protect the credentials in transit.
When both password and client cert are used it could be called two factor authentication.
Any of the above combinations are supported by httpd.
John Orendt
John.p.orendt@medtronic.com
From: Tom Browder <tom.browder@gmail.com>
Sent: Friday, September 3, 2021 3:46 PM
To: users@httpd.apache.org
Subject: [EXTERNAL] [users@httpd] Feasible to use both password TLS cert access on same directory?
I have a website that has been using private website user TLS certs successfully for over 10 years.
Now I am investigating providing user name and password access to it as well. (I have that implemented on another site and it has worked satisfactorily for a couple of years.)
My question is: can I provide both access methods to the same directory?
I know it would be not as secure as a TLS cert and it would reduce the overall security of the directory, but is it feasible?
Thanks.
-Tom
[CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com
The TLS Client cert verifies that the client device has use of the private key corresponding the client cert. When verified you have mutual authentication between the client device and the server device.
User name / password authenticates that hopefully a human knows the credentials.
These two techniques can be used separately or together.
Whenever, User name / password is used a TLS server connection is needed to protect the credentials in transit.
When both password and client cert are used it could be called two factor authentication.
Any of the above combinations are supported by httpd.
John Orendt
John.p.orendt@medtronic.com
From: Tom Browder <tom.browder@gmail.com>
Sent: Friday, September 3, 2021 3:46 PM
To: users@httpd.apache.org
Subject: [EXTERNAL] [users@httpd] Feasible to use both password TLS cert access on same directory?
I have a website that has been using private website user TLS certs successfully for over 10 years.
Now I am investigating providing user name and password access to it as well. (I have that implemented on another site and it has worked satisfactorily for a couple of years.)
My question is: can I provide both access methods to the same directory?
I know it would be not as secure as a TLS cert and it would reduce the overall security of the directory, but is it feasible?
Thanks.
-Tom
[CONFIDENTIALITY AND PRIVACY NOTICE] Information transmitted by this email is proprietary to Medtronic and is intended for use only by the individual or entity to which it is addressed, and may contain information that is private, privileged, confidential or exempt from disclosure under applicable law. If you are not the intended recipient or it appears that this mail has been forwarded to you without proper authority, you are notified that any use or dissemination of this information in any manner is strictly prohibited. In such cases, please delete this mail from your records. To view this notice in other languages you can either select the following link or manually copy and paste the link into the address bar of a web browser: http://emaildisclaimer.medtronic.com