> A certificate essentially says something like "I am Verisign, and I certify > that Joe Schmoe is the rightful owner of the private key whose corresponding > public key is X". > > The certificate itself is generally considered public information and it is > not a problem if the certificate is intercepted. If someone else presents > that certificate, it still conveys only the correct and valid information > that Joe Schmoe is the rightful owner of that key, as decided by Verisign. > > I think your question comes out of a misunderstanding of what you actually > *do* with a certificiate. In the example of a browser going to a secure web > site, the browser receives the certificate and does the following checks: > > 1) Is the certificate valid and properly signed by a certification > authority? > > 2) Do I trust that certificate authority for the purpose of authenticating > web sites? > > 3) Is the name in the certificate actually the place I was trying to reach? > (If I was trying to reach "www.amazon.com", is this the name in the > certificate?) > > 4) Can the machine I reached prove that it holds the corresponding private > key to the public key in the certificate? > > If all four questions get yes answers, then you see that little locking > icon. If the certificate is used by anyone else, they will fail test 4 > unless they have the site's corresponding private key. > > The same applies to a VPN authentication operation, assuming it's properly > designed. Presenting the certificate is only one step. You still have to > prove that you are the party the certificate was issued to by demonstrating > possession of the private key.
Ok, so if it is not a problem if the cetifiacte is intercepted, how to "prove that you are the party the certificate was issued to by demonstrating possession of the private key " ? Is it a special configuration the VPN ? thx david Protek-on: CaraMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramail.com
