Strong Client Authentication

Since SSL 3.0, there is an optional additional step possible in a SSL/TLS connection. A person (or device) can be issued an X.509 public key Client Certificate. A client certificate binds a person’s name and email address (and possibly other items such as organization name, city, state and country) to the public key. It is used to identify a person (or perhaps a non-web based device, like a sensor).

In this optional step, the server prompts the client to send its Client Certificate to the server. The same verification and challenge is performed by the server as was previously done by the client. Assuming the challenge is successfully answered, this establishes Client to Server Authentication. This can replace Username/Password Authentication.

Strong Client Authentication (SCA) requires issuing a client cert to every user than needs to authenticate to the server. There may be 1,000 or even 1,000,000 times as many client certs as server certs in a given secure system. It is much more difficult to issue client certs than server certs due to the much higher volume. The information in every client cert must be verified before it is issued.

Most web and email servers support SCA, but it is not widely used today due to the difficulty and cost of obtaining trusted client certificates for every user. SCA solves many of the security issues with web (and other) systems today.

Sixscape’s Domain Identity Registry infrastructure is designed to provide any number of client certificates, and provide validity and revocation checking, in addition to a secure address registry. It makes possible secure End2End direct connections for IPv6 nodes (where there are plenty of public addresses and no NAT).