================== It is not using 2way SSL, if it were, there was really no need for it.
fact is, 2way SSL only works in very simple scenarios, accessing only one host with no need to handle "logoff". In more often (larger scale) solutions, 2way SSL in reality works bad (because browsers will renegotiate SSL connections with host changes - also when changing subdomains within a domain). 2way SSL breaks SSO when switching between different subdomains within the same domain.
because of the problems with 2way SSL, openlogon is designed to use 1way ssl, doing the "client side auth" as part of the applet.
Also, 2way SSL is end-to-end between the browser and the server that terminates the SSL session. But in most larger setups, this tends to be SSL accelerators which sends on (only) the client public certificate to the application server. End-to-end is then only over the internet, where OpenLogon really is end-to-end since the SSL accelerators only takes care of the resource consuming keyexchange. Auth is handled by the logon service in the application server. ====================
Comments?