On Wed, 24 Jan 2001, Dale Peakall wrote:
> Not quite sure what you mean by bogus certificate.
Test certificates (Snake Oil and such).
> The protection of this private-key is what's important here. You may
> rely on the hardware being physically secure to prevent the key being
> stolen, or on the operating system, or require that the private-key be
> stored on a smart-card. However you do it, your guarentee of client
> id is only as secure as that private key.
So, how do the browsers manage the private-key? Is it only the OS that prevents
unauthorized access to it?
> E-mail attachments are generally a fairly reliable means of returning
> the appropriate data.
>
> > How do I know that I'm giving the certificate to the browser that
> > requested it?
>
> You get them to include a password in the request, which is used to
> encrypt the private-key. Without that password, the private-key is
> of no use to them and they can't perform client authentication.
Do the browsers manage this by themselves? (i.e.: Do they prompt for the
passfrase as mod_ssl does on starting up?)
> The real big question, is how do you know that they are who they claim
> to be when they make a certificate request.
Mmmhh... What sort of information can you ask for to validate?
Thanks
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
