Log in specification
=====================
Source: Provoznà Åád ISDS, version 2010-01-22, Pages 10â13, 16
Source: Vyhláška o stanovenà podrobnostà užÃvánà a provozovánà ISDS (194/2009
Coll.)
Source: Webové služby ISDS pro manipulaci s datovými zprávami,
version 2 (2009-06-25)
Connection tracking of web services is done via HTTP Cookie, or HTTP client
must attach authentication data to each request. These two different
connection trackings are differentiated on base URL clients connect to.
Allowed log in methods:
â HTTPS connection, server authenticated using SSL server certificate,
user authenticated using HTTP 1.1 basic authentication with user name and
password.
â SSL connection, user authenticated using `commercial' client
certificate AND user name and password. The client certificate must be
preregistered in web (browser) interface.
â SSL connection, user authenticated using `system' client certificate.
Client certificate must be preregistered to the box.
â SSL connection, user authenticated using `system' client certificate of
third party AND using HTTP 1.1 basic authentication (user name is box ID,
password is empty). This case is intended for hosted Software as Service
solutions.
Note: Certificate attributes `commercial' and `system' are defined in Czech
Electronic Signature Act.
Once client certificate is registered, user could not log in with HTTP basic
authentication only.
Client private key must be stored in cryptographic device in non-exportable way.
The device driver must provide any of the APIs in addition:
â Microsoft CryptoAPI
â PKCS#11 API through libp11 library.
Log-in HTTP request must not be larger than 50 KB because server implementation
uses weird HTTP redirects etc. Therefore SOAP DummyOperation is available for
log-in purposes that is small enough (other SOAP requests can be much bigger).
Desktop applications accessing ISDS must log in only on manual request of
a user. Daemon implementations can log in automatically, but they are forbidden
to abuse ISDS (e.g. redownloading old messages).
