I have been trying to find a way not only to get the user certificate info - i.e. Authentication via DigitalID, but also to have a digest of the request, signed by the client (Web Browser Only - not the Applet/Application case) or something like that, so I can proove to a 3rd party that the user with the specific certificate has issued the specific request. Is it at all possible?
Alex Chaffee That's an interesting question. I'm pretty sure the answer is "no," at least not without hacking the server. The request *is* signed by the client, effectively, but (a) since it's SSL, what's signed is not the request itself, but the symmetric key used to encrypt the request before it's sent, and (b) the Servlet spec doesn't expose any of the mechanics of the SSL transaction anyway -- it just hands you an already-authorized Principal.