Yeah, you may be able to get stronghold, or something, to do the client-side certificate auth. Hey, didn't Chris Petrilli work with this stuff?
Yep. We've now got the expertise, we've just not had the opportunity to get into it. The customer driving our LDAP work will, in the next 3-4 months, also be driving an x509 requirement. When we do get to it I _strongly_ suspect that we'll defer as much as possible to the web server (in their case Netscape ES).
Ach! I've been found out :-) Yes, I've thought very hard about how to do this correctly, and it's not "hard", but it is tedious to get right. I spent too long on the wrong end of PKI (i.e. the infrastructure side) and have seen the pains of actually trying to use all this nifty technology. As soon as we have a customer requirement that drives it, we'll venture down there, unfortunately that also requires getting some legal opinions as to whether the piece we're doing is subject to export control. I don't *think* so, but, I'm not a lawyer. In the next few days (this weekend maybe?) I'll try and pretty up my little writings on how PKI and Zope could work together if anyone's interested. Chris -- | Christopher Petrilli Python Powered Digital Creations, Inc. | petrilli@digicool.com http://www.digicool.com