Michael -
It's true that a cert won't function unless the cert
holder also has the corresponding private key,
but the ongoing discussion about these
certs was assuming that the owner of the
private/public
key pair would distribute everything (cert, BOTH keys,
etc) to other parties.
Several responses to the original post (and to the
follow-ups) have nicely summarized the issue, and it
boils down to this: there's no way to verify with
complete certainty that the holder of a client
certificate is the cert's owner. Period.
--- Michael Sierchio <[EMAIL PROTECTED]> wrote:
> Al Shaver wrote:
>
> > Regarding client's Digital IDs... you're right.
> > There's
> > no security there at all (based on my limited
> > understanding
> > of how they're issued and used). Even if a CA like
> > Verisign went to _extreme_ lengths to verify the
> > identity of the person applying for the id (which
> they
> > don't), I don't know of any way to stop someone
> from
> > distributing their ID to others, or making the ID
> > non-functional on anyone else's system.
>
> Huh? The ID is non-functional to anyone who does
> not possess
> the private key.
>
______________________________________________________________________
> OpenSSL Project
> http://www.openssl.org
> User Support Mailing List
> [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
__________________________________________________
Do You Yahoo!?
Talk to your friends online and get email alerts with Yahoo! Messenger.
http://im.yahoo.com/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
