In client-server communications, a client communicates with a server via a public communications network, such as the Internet, or a private communications network, such as an Intranet. With respect to the Internet, a web browser communicates with a web server using the Transmission Control Protocol/Internet Protocol (TCP/IP). For the majority of Internet communications, a web browser communicates with a web server using the generic Hyper-Text Transfer Protocol (HTTP) which is transmitted between the web browser and the web server over the TCP/IP link between the web browser and the web server. Most web browsers also enable clients to access other server resources and services including File Transfer Protocol (FTP), Telnet, Wide-Area Information Servers (WAIS), and the like.
Two important security issues related to client-server communications are privacy and authentication. Privacy involves keeping anyone except the intended recipient from being able to read a communication between a client and a server. Privacy is typically accomplished using cryptography wherein communications are encrypted prior to transmission and decrypted upon receipt. Authentication involves verifying that the entity with whom a client or server is communicating is, in fact, who the client or server thinks the entity is.
HTTP-layer authentication typically requires HTTP challenge-response requests between a client and web server for access to server resources. This type of authentication typically requires the user to provide a user name and password to the server which then validates this information by comparing it with information contained within an access control list (ACL). Another authentication method utilizes digital certificates (referred to hereinafter as "certificates"). A certificate is a set of data that identifies an entity, and verifies that the specific public encryption and signature keys included within the certificate belong to that entity. A certificate is issued by a Certification Authority (CA) only after the CA has verified that the specified public encryption key belongs to the specified entity.
When a client sends a request to access certain resources via a server, the server may request that the client transmit a certificate to the server for authentication purposes. When the server receives the certificate, it looks at the IP address of the client sending the certificate or the name of the individual user sending the request and then checks an ACL containing the IP addresses or user names authorized to access the requested resources.
Unfortunately, this procedure can be inefficient and time consuming, especially when the ACL contains many IP addresses and/or user names. In addition, this procedure typically requires that ACLs be updated each time an individual user is granted or denied access to specific server resources. This can add significantly to the task of network administration. Thus, it would be desirable to be able to change the access rights of users without having to modify an ACL each time there is a change involving users authorized to access the server. It would also be desirable to be able to increase the criteria upon which access to server resources can be based.