Although we haven't explicitly written anything about this, we
certainly looked at this issue from both a security perspective
as well as denial of service perspective, when we needed to
do something very similar to what you are talking about.
The solution essentially involved
a) Having the server limit itself as to which ciphers it
could use. In our case, we limited it to one cipher.
b) Having the clients make use of certificates which
are issued and distributed by the owner of the
server.
I don't see how you would be able to do anything illicit,
even with full access to the source. (I could be wrong and
am willing to stand corrected, though).
You mention to forget about signed digital money. I presume
by this you mean to avoid that part of the problem? That is
part of the problem that does need to be solved...
[EMAIL PROTECTED] wrote:
>
> Has anyone written anything about the problem of using OpenSSL in an untrusted
> environment? If there is nothing written I would consider studying it and
> sharing the results.
>
> Here's the problem. Suppose you want to communicate securely with an
> UNTRUSTED party who can authenticate themselves to you.
--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
