Authentication by Purdue X.509 certificate
Users who possess a Purdue certificate
may authenticate to the Purdue
realm by establishing a
client-side SSL connection with the authentication net daemon. Successful client-side SSL setup uniquely identifies
the person because Purdue certificates have the person's PUID embedded within the certificate. The person is authenticated
because he had to prove knowledge of the certificate's private key as part of the SSL negotiation. A successful certificate
authentication to the Purdue realm establishes the user's identify in that realm, and possibly in other realms
(see Trust relationships below).
Certificate-based authentication is not part of the protocol clients use to communicate with the net daemons. I.e., there is no "authenticate with a certificate" command in that protocol. Certificate-based authentication occurs when the client establishes a client-side SSL connection with a net daemon. Until this connection is established the net daemon doesn't listen for commands; once it is established the user has been authenticated even though protocol commands have not yet been sent by the client.
Certificate-based authentication is available only with Purdue-issued certificates. Certificates issued by other certificate authorities cannot be used because they do not have the PUID embedded within the certificate.
While a user remains connected, the authentication net daemon tracks the session's authentication state and passes it to the
authentication DBM with each command. Having established a client-side SSL connection, the user is authenticated to the Purdue
realm. If the user authenticates to other realms via the
authenticate by password
protocol command, the authentication net daemon records each successful authentication and passes these additional authentication
credentials to the authentication DBM.
Trust Relationships Realms may define trust relationships with other realms to allow a user to authenticate once and share the resulting authentication credentials with other realms. The combination of the authentication DBM's trust relationships and the authentication net daemon's tracking of authentication sessions allows users to establish their identities in multiple realms with a single authentication. Realms that trust the Purdue realm will automatically accept Purdue certificate authentications.