[prev in list] [next in list] [prev in thread] [next in thread]
List: openssl-users
Subject: Re: Client Authentication??
From: Michael Sierchio <kudzu () dnai ! com>
Date: 2000-04-30 5:45:00
[Download RAW message or body]
Al Shaver wrote:
> It's true that a cert won't function unless the cert
> holder also has the corresponding private key,
Sorry to be pedantic, but the cert works just
fine. It's a binding of an identity to a public
key with a signature of a trusted third party.
> but the ongoing discussion about these
> certs was assuming that the owner of the
> private/public
> key pair would distribute everything (cert, BOTH keys,
> etc) to other parties.
That would be monumentally stupid. It's relatively
easy to generate key pairs and signing requests within
a browser -- Netscape's KEYGEN tag and MSIE's xenroll.cab
which is easy to come by -- allow for a FORM to be posted
with SPKAC or PKCS#10 type self-signed public keys. I've
written numerous CGI and servlets which pass this on to
OpenSSL CA for signing.
> Several responses to the original post (and to the
> follow-ups) have nicely summarized the issue, and it
> boils down to this: there's no way to verify with
> complete certainty that the holder of a client
> certificate is the cert's owner. Period.
Does not compute. There are no restrictions on the "holder"
of a cert. Presumably only one party has the corresponding
private key. If this is not the case, said person deserves
to be spanked. There is no such thing as a cert "owner."
Possession of the private key is everything.
The real burden is for the CA role to be sure of the binding
of the public key to an identity.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager majordomo@openssl.org
[prev in list] [next in list] [prev in thread] [next in thread]
Configure |
About |
News |
Add a list |
Sponsored by KoreLogic