As I continue to draft a clear a security statement for our website.... Talking to my CA this morning, I was looking to clear up in my mind how this all works. I understand how authentication with the certificate is to work, and I thought I understood about what is encrypted and how it is decrypted. We (server side) have the only private key that can decrypt info coming to us from browser clients. I like this - they send some passwords that authenticate themselves to our system and I would rather they could not be sniffed. However, testing with my test certificate (that I made), my browser comes up with a dialog saying that "passwords, credit card numbers" etc. will be passing to our server unencrypted. Now my CA this morning said that this is only because I am using a test certificate, and not a "real" one. Is this true? Now the second question. The HTML that our java servlets serve up to our clients out there with their browsers, is this, too, encrypted? Does it use my servers private key to encrypt, and the browser uses my public key to decrypt? Various items I have read elude to the fact that there is a more secure way for our server to send out stuff. I didn't understand all I was being told this morning, but I also had a feeling that the person to whom I was speaking did not have a full understanding. I would greatly appreciate any comments, answers, or being pointed is certain directions. TIA. -- Keith Simpson Skillview Technologies [EMAIL PROTECTED] (603)-382-9882 ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
