Re: [openssl-users] I'm confused on the big picture. Help?-------=========--------}}}}}}}}

[Mark H. Wood]

On 15 May 2002, Eric Rescorla wrote:
 Chris Cleeland [EMAIL PROTECTED] writes:
  On Wed, 15 May 2002, John Jones wrote:
[snip]
   Steps I vaguely see, please help me if you can:
  
   2) I need to use the command line utility that comes with OSSL to make
 uh..what?  A private key? A certificate?  The user will never see
 this stuff, hopefully.
 
  Yes, and Eric's book doesn't really address these issues much.  I haven't
  really found any book that does in a clear and concise way.
 Yeah, I don't address this at all, really. John Viega's new book
 Network Security With OpenSSL should cover this, but it's not
 available yet. For the moment, you'll have to read the OpenSSL docs.

Adams  Lloyd's _Understanding Public-Key Infrastructure_ is what I'm
reading right now to try to understand what objects I need, what to put in
them, and how to handle them once I've got them.  It's not *too* old
(1999) and seems to be a thorough survey of the issues.  There's nothing
at the level of detail that would allow its use as an OpenSSL cookbook --
sometimes I feel I paid $50 for a list of RFCs -- but it's good for
getting a broad view of the topic.

It's probably better in the long run to understand things at that level,
than to have specific commands all laid out for one.  I figure that I
ought to come away with a deeper understanding of what I'm doing, if I
work out the abstract requirements and then translate to OpenSSL
specifics.

I do think I'll have a look at _Network Security with OpenSSL_ when it
comes out, though.

-- 
Mark H. Wood, Lead System Programmer   [EMAIL PROTECTED]
MS Windows *is* user-friendly, but only for certain values of user.

__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]

Re: [openssl-users] I'm confused on the big picture. Help?-------=========--------}}}}}}}}

[Eric Rescorla]

Chris Cleeland [EMAIL PROTECTED] writes:
 On Wed, 15 May 2002, John Jones wrote:
 
  Please help me get my facts straight on what this is all about.
  
  What I want to do:
  Send an XML string from a non-browser client to a server, but securely, because it 
will contain credit card information and other personal junk.
  It has to be on the Mac and Windows platforms at least.
  
  Steps I see:
  Use OpenSSL because I can get that for OS X and also for Windows.
  OK, after that, I'm fuzzy.
 
 Step 2: purchase Eric Rescorla's excellent book.
Thanks for the kind words :)

You should also check out my article Introduction to OpenSSL Programming,
available at http://www.rtfm.com/openssl-examples
which is an expanded version of the programming chapter of my book,
targeted towards Linux. You should be able to adapt the programs to
OpenSSL and Windows relatively easily.

  Steps I vaguely see, please help me if you can:
  
  2) I need to use the command line utility that comes with OSSL to make
  uh..what?  A private key? A certificate?  The user will never see
  this stuff, hopefully. 
 
 Yes, and Eric's book doesn't really address these issues much.  I haven't 
 really found any book that does in a clear and concise way.
Yeah, I don't address this at all, really. John Viega's new book
Network Security With OpenSSL should cover this, but it's not
available yet. For the moment, you'll have to read the OpenSSL docs.

  3) I need to put a copy of the private key on the server and the client,
  and somehow that gets used to to encrypt the private information
  the client sends. 
 
 If memory serves well, I believe that Eric's book does address these sorts of 
 issues.
Yes this is covered in my book. 

Ignoring the details of how this happens in SSL, here is the short
version of what you have to do:

You don't need a private key on the client, just on the server.
The client needs to either:

(1) Have a copy of the server's certificate.
(2) Trust the CA who signed the server's certificate.
(3) Just accept the server's public key/certificate without verifying
it. This is fine for testing but lousy for security.

-Ekr


-- 
[Eric Rescorla   [EMAIL PROTECTED]]
http://www.rtfm.com/
__
OpenSSL Project http://www.openssl.org
User Support Mailing List[EMAIL PROTECTED]
Automated List Manager   [EMAIL PROTECTED]