>
> I still don't follow. For example, if Bob has a cert with his name,
> public key, some encrypted private data, and the CA signature. When
> Bob sends his cert to a server to make a SSL connection, his cert might
> be intercepted by John. And then, John could use the same cert to fake
> as Bob. As far as the server, it receives two identical certs and thinks
> both come from Bob. The server cannot tell difference between Bob and John.
>
> Of course, John could not change the cert. But, John could simply fakes
> as Bob. Is it correct?
A certificate by itself proves nothing because certificates are
public. Anyone can posses a certificate. I can get the Verisign
certificate by extracting it from my browser. But that does not mean
I can pretend to be Verisign. Each certificate has a matching private
key. When the user sends a certificate to the server it is used by
the server to send a challenge to the client. Only the person that
has the private key will be able to answer the challenge. So in your
example above only John can use the certificate as a form of
authentication because only John has the private key.
Now if Bob was able to steal the private key then he could pretend to
be John.
Jeffrey Altman * Sr.Software Designer * Kermit-95 for Win32 and OS/2
The Kermit Project * Columbia University
612 West 115th St #716 * New York, NY * 10025
http://www.kermit-project.org/k95.html * [EMAIL PROTECTED]
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
