OH, read this again. I retract my comment - I didn't spot the reference to mutual authentication.
There would be an alternative for the server end to trust a client certificate signed by the client's CA by trusting the client's root CA. Mike Wawiorko -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Mike Wawiorko Sent: 29 August 2019 10:51 To: [email protected] Subject: Re: vendor distributes their private key This mail originated from outside our organisation - [email protected] Charles sent this "But for certificate-based client authentication, the server admin must send the client admin a client certificate AND its private (???) key." Surely that should say public key. Or am I missing something? Mike Wawiorko I Mainframe Connectivity I Global Technology Infrastructure and Services Tel +44 (0)330 1535515 I Internal 81535515 I Mobile +44 (0)7824 527120 Email [email protected] Barclays, Wilson Technology Lab GB12, BTC Radbroke, WA16 9EU (Mail Van 49) barclays.com -----Original Message----- From: IBM Mainframe Discussion List <[email protected]> On Behalf Of Charles Mills Sent: 29 August 2019 00:19 To: [email protected] Subject: Re: vendor distributes their private key ... But for certificate-based client authentication, the server admin must send the client admin a client certificate AND its private key. Why? Philosophically, because a client certificate signed by a trusted CA does not prove the authenticity of the client. A man-in-the-middle might have previously intercepted the certificate and now be sending it out from HIS client as its own. ... Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [email protected] with the message: INFO IBM-MAIN
