The previous sections described how public key certificates may be used to validate parties
involved in secure communications. They also explained why some work, time, and cost is
involved in obtaining certificates.
The nature of Internet usage is such that it is important to distinguish between server
validation and client validation. Server validation allows a client to know that it is talking to the
intended server. Conversely, client validation allows a server to know that it is talking to the
intended client.
It is often more important for a client to know that it is talking to the intended server than the
converse. The reason for this is often financial. For example, if a client is purchasing an item
from an online retailer, the client needs to be certain that their credit card details are going to
the intended destination. While it might be nice for the retailer to be certain where the money
if coming from, it is not usually essential. Therefore, server validation is nearly always used in
such transactions, but client validation is less often used. Other applications, such as Internet
banking often use both client and server validation.
In FTPS, both server and client validation by certificate are optional. Though the server's
certificate is always sent, it is up to the client whether or not it validates the certificate. It is up
to the client whether or not it will try to validate itself to the server, but some servers have a
policy of not allowing unvalidated clients to access some or all its resources.
It is important to note that, although many FTPS servers don't request client certificates, most
require a user-name and password to be sent. If these are sent over a secure control channel
then a reasonable level of client validation is inherent.
Next: Hostname Checking