What's the point of the client certificate? / Authentication Scheme of taskserver

[troubas]

I'm a bit confused about the purpose of the client certificate. The only situation I see a point in those certificates is if the server keeps the private key and we provide our users with the public key as the login mechanism. (And for maximum security then switching to a random synchronous key for communication).

However at the moment the only authentication happens using:

taskd.credentials=Org\/User\/UID

All an attacker requires is that string and a certificate our server trusts (for example from any public certification authority). -- Or am I mistaken?

Can anyone provide me with the current authentication system and the purposes of the different certificates? If you'd like I could help you develop a concept which secures user login and authenticity?

Best Regards,

[pbeckingham]

Read the source code. Read the GnuTLS sample client/server code. Then we talk.

[troubas]

Fair enough. I've tried skimming through the code but sadly I'm not well enough acquainted with GnuTLS and C++ and currently do not have the time to kneel in more deeply =/

I will close this issue as there won't be any progress from my side any time soon.