Jeffrey, thanks for responding.
> Is your goal to pay for one Verisign certificate and be able to use it for a large number of privately generated free certificates which would not be trusted by the client? No, not at all. We're not trying to save a few hundred dollars by doing this. This is just a side effect.... The Hosts are not visible from Client's location, Proxy has to be in the middle. > The client cannot trust the host because the client is not verifying the Host's certificate. > The client has no way of knowing whether or not the proxy server has been compromised. Therefore it is not acceptable > to trust the proxy to decrypt and reencrypt the data. You have now introduced a man in the middle. I think there's an error in your logic. First you state that the Client cannot trust the Host because it hasn't verified its certificate, then you go on to say that it is because it has no way of knowing whether Proxy has been compromised or not. I think this is two separate problems: 1. Verifying identities based on a trust chain. 2. Trusting or not trusting someone or someone's judgement by determining if they'd been compromised or not. I think 1) is solved by this process. I also think that 2) will dever be solved by anyone. Think about it this way: if Client were to connect to Host directly, it would still have no way of knowing if Host itself had been compromised or not. >> The first question is, is this cryptographically sound if we assume that Proxy has not fallen into the wrong hands? > No. It is not a sound security process. Even if we "assume that Proxy has not fallen into the wrong hands"? Can you elaborate? > I am available for consulting. You may contact me at jaltman at secure-endpoints.com for that purpose. I have been contacted by one of the OpenSSL developers and we're working on this problem, but I have emailed you at the above email address nonetheless. Thanks in advance, Marton Anka ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
