> > For now, my purpose is not to establish and identity of a server with the > > certificate. I plan to use a signed certificate, so that the client can be > > sure > > that the server indeed holds the private key associated with the > > public key > > provided by the server in its certificate. > > You have a non-standard security model. The standard SSL security model has > the CA sign the certificate to verify that the *name* in the certificate > belongs to the key in the certificate. > > It is almost always a mistake to try to get commodity software to enforce a > non-standard security model. That is, you can't expect programs like firefox > and IE to connect to SSL servers using certificates generated with a > non-standard security model and get any kind of sane behavior. > > It sounds like you don't need a certificate at all. You just need the server > to be able to prove that it own a particular private key. Presumably this is > for server persistence (so I can tell I'm talking to the same server I was > last time). > > So I think the servers should be using self-signed certificates and the > clients should be configured to accept self-signed certificates (since they > don't care about being able to verifyt the common name). > > There is no point in having a CA at all, as I understand your problem. > > The only point in embedding the CA in the installer and configured the > clients to trust the CA would be to all the clients to trust the common name > in the certificate. But clearly the clients *can't* trust the common name in > the certificate. > > So it seems like you're trying to solve a "problem" that's actually a design > property of your security model.
I doubt if self signed certificate will be a good idea, as against a signed certificate. With the approach I am proposing, the server installer itself works like a CA. Only an authorized person will have access to this installer (say admin) and can generate a signed certificate. Now what happens if someone changes the key and the certificate in the server? If I am using a self signed certificate, this change will not be detected. If I am using a CA signed certificate (which only the admin can do through the installer), any such change / modification to the server certificate will be detected as the modified certificate will not be validated at the client side (as it will not be signed). This is the reason, why I plan to use a CA signed cert instead of self signed cert at the server. Also, I do plan to user server certificates (and client certificate also) for proving the identity, but not in this phase. DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
