I wish SHARE would get the Sacto presentations up; then I could refer you to my 
session there.

Your certificate contains the public half of a public-private key pair. You 
generated that pair and keep the private part private.

The entire certificate is signed by a certificate authority. In other words, it 
contains a hash encrypted with the private key of the CA.

The recipient of the certificate verifies that it is valid by verifying that 
the hash can be decrypted with the CA's public key, which is contained in the 
recipient's CA certificate.

So ... your private key has played no part in validating the certificate.

Now ... for data traffic purposes, the recipient creates a random number which 
will be used for secret key encryption/decryption of data traffic. He encrypts 
that random number with the public key from the certificate and sends it to 
you. You decrypt it with your private key and use it for secret key 
encryption/decryption of session traffic. That is where your private key comes 
in.

The above is a simplification and leaves out details like client certificates 
and intermediate certificates, but it accurately represents the essence of the 
thing.

Charles


-----Original Message-----
From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf 
Of Andrew Rowley
Sent: Thursday, April 5, 2018 10:52 PM
To: IBM-MAIN@LISTSERV.UA.EDU
Subject: Re: Software Delivery on Tape to be Discontinued

On 6/04/2018 12:41 PM, Charles Mills wrote:
> No, @Gil has it right.
OK, help me understand.

>> I believe so but, answering Andrew's question, the signature on 
>> messages he sends is encrypted using Andrew's private key which he does not 
>> disclose even to the CA.

The signature is encrypted using my private key.

>> The recipient verifies the signature using the public key obtained from the 
>> CA.
The signature needs to be verified using the key that matches my private key, 
i.e. my public key, correct? How is that obtained from the CA? I suspect we 
just have a terminology problem here but I'm not quite seeing it.

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN

Reply via email to