Re: Oracle SSL Authentication

Tony wrote:

> > I'm not sure if I understand the problem. I see two possibilities:
> > 1. Do you want to authenticate the user via SSL and then use that
> > identity to connect to the database?
> > In that case, the answer is "no." An OCI interface exists for doing
> > that, but Netscape doesn't use it (at least as far as I know).
> >
> > 2. Do you want to authenticate the user via SSL and connect to the
> > database using a separate user ID and password?
> > Yes. SSL is not required, although I would suggest using some sort of
> > encryption.
> >
> > Rick
>
> Let me explain a little further. I have a website that currently uses
> ACL to require users to gain access to restricted content. They must
> register for a username and password. I want to add a shopping cart
> with SSL connectivity. But, since users have already registered at my
> site to gain ACL access, then I don't want them to have to reregister
> to use the shopping cart.
>
> The problem I'm seeing is that I can't use one logon for both ACL and
> SSL connections. Since ACL is not secure (the usernames and passwords
> are encrypted however), this would be a security issue.
>
> I'm trying to find a workaround for this...any suggestions?
>
> Thanks again,
> Tony

Something is only as secure as its weakest link. You can layer DES encryption on top of this. But if they can open the door without a key ... they can do the next step too unless you put up a barrier. You can't have it both ways.

Daniel Morgan Received on Tue Jun 18 2002 - 15:43:12 CDT