>
> >>> Kenneth Mutka <[EMAIL PROTECTED]> 12/08/99 07:55AM >>>
> >... run mod_ssl without having Certificates? I just want the crypto
> from the
> >package, nothing else.
> >Is that possible?
> >If not, what should I choose instead?
>
> That's not possible for *any* Public-Key cryptography system unless the
> client already knows your public key (as can be done with SSH). This
> isn't possible with HTTPS, of course, because every browser in the world
> would have to be pre-stocked with the public key of every HTTPS server
> in the world. The point of the certificate is to inform the client of
> your public key (which is contained within the certificate) in such a
> way that the client can believe you; ie, your public key is wrapped in a
> certificate which is digitally signed by a trusted Certification
> Authority. So you *have to* have a certificate to be able to do HTTPS!
This not really true. You can use the anonymous diffie-hellman
ciphers if you do not want to use certificates. Or you can install a
self signed certificate on the server. The only problem with these
methods is that they do not protect against man in the middle attacks
so you cannot be sure that you are not being listened to.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
Apache Interface to OpenSSL (mod_ssl) www.modssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
