I'm kinda confused. If SSL cer开发者_高级运维tificates help to indentify that you are connected to a trusted server, then why is it necessary to use an encrypted ( HTTPS ) connection ? Can I use SSL certificates for HTTP connections?
There's a misconception here. Certificates are not SSL. It's SSL that uses certificates, but certificates were born before SSL. Consequently yes, you can use X.509 certificates without SSL (you can sign the request and put the signature to, for example, HTTP headers). You can use certificates with SSL but without SSL encryption (some of NULL ciphersuites).
The convenience of SSL/TLS is that it's a standard, i.e. it's widely recognized and strictly defined, while with other schemes you'd need to implement something homemade. Yet I can remind you of WS-Security standard which does exactly what you are asking about -- when you send the request to the web server via HTTP and utilize WS-Security, you get certificate authentication without SSL (via plain HTTP).
精彩评论