I wish SHARE would get the Sacto presentations up; then I could refer you to my session there.
Your certificate contains the public half of a public-private key pair. You generated that pair and keep the private part private. The entire certificate is signed by a certificate authority. In other words, it contains a hash encrypted with the private key of the CA. The recipient of the certificate verifies that it is valid by verifying that the hash can be decrypted with the CA's public key, which is contained in the recipient's CA certificate. So ... your private key has played no part in validating the certificate. Now ... for data traffic purposes, the recipient creates a random number which will be used for secret key encryption/decryption of data traffic. He encrypts that random number with the public key from the certificate and sends it to you. You decrypt it with your private key and use it for secret key encryption/decryption of session traffic. That is where your private key comes in. The above is a simplification and leaves out details like client certificates and intermediate certificates, but it accurately represents the essence of the thing. Charles -----Original Message----- From: IBM Mainframe Discussion List [mailto:IBM-MAIN@LISTSERV.UA.EDU] On Behalf Of Andrew Rowley Sent: Thursday, April 5, 2018 10:52 PM To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: Software Delivery on Tape to be Discontinued On 6/04/2018 12:41 PM, Charles Mills wrote: > No, @Gil has it right. OK, help me understand. >> I believe so but, answering Andrew's question, the signature on >> messages he sends is encrypted using Andrew's private key which he does not >> disclose even to the CA. The signature is encrypted using my private key. >> The recipient verifies the signature using the public key obtained from the >> CA. The signature needs to be verified using the key that matches my private key, i.e. my public key, correct? How is that obtained from the CA? I suspect we just have a terminology problem here but I'm not quite seeing it. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN