[prev in list] [next in list] [prev in thread] [next in thread] 

List:       openssl-users
Subject:    Re: Client Authentication??
From:       Michael Sierchio <kudzu () dnai ! com>
Date:       2000-04-30 5:45:00
[Download RAW message or body]

Al Shaver wrote:

> It's true that a cert won't function unless the cert
> holder also has the corresponding private key,

Sorry to be pedantic, but the cert works just
fine.  It's a binding of an identity to a public
key with a signature of a trusted third party.

> but the ongoing discussion about these
> certs was assuming that the owner of the
> private/public
> key pair would distribute everything (cert, BOTH keys,
> etc) to other parties.

That would be monumentally stupid.  It's relatively
easy to generate key pairs and signing requests within
a browser -- Netscape's KEYGEN tag and MSIE's xenroll.cab
which is easy to come by -- allow for a FORM to be posted
with SPKAC or PKCS#10 type self-signed public keys.  I've
written numerous CGI and servlets which pass this on to
OpenSSL CA for signing.

> Several responses to the original post (and to the
> follow-ups) have nicely summarized the issue, and it
> boils down to this: there's no way to verify with
> complete certainty that the holder of a client
> certificate is the cert's owner. Period.

Does not compute.  There are no restrictions on the "holder"
of a cert.  Presumably only one party has the corresponding
private key.  If this is not the case,  said person deserves
to be spanked.  There is no such thing as a cert "owner."
Possession of the private key is everything.

The real burden is for the CA role to be sure of the binding
of the public key to an identity.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majordomo@openssl.org

[prev in list] [next in list] [prev in thread] [next in thread]