Do all DACS users have to have client certificates issued by the same certificate authority?
No. And unless their jurisdiction requires it, users do not have to have client certificates. If a jurisdiction chooses to authenticate a user using an X.509 certificate, it must merely be able to validate a client certificate passed to it by DACS and map the certificate to a DACS username. In cases where the web server is configured to do this validation itself, DACS may not need to repeat this validation. If the jurisdiction is already using this certificate to authenticate its owner for other purposes (e.g., web access), it must also already have the necessary means of validating the certificate. DACS obtains the X.509 certificate through its SSL connection with the user. It is possible to use self-signed certificates if a jurisdiction (or the federation) chooses to operate its own certificate authority.
Related Questions
- Do I need to install any certificates in my browser to access web sites that use SSL or EV certificates issued by the InCommon Certificate Service?
- Do all DACS users have to have client certificates issued by the same certificate authority?
- Can windows Certification Authority give certificates to Certificate Signing Requests?
