* Kyle Hamilton wrote on Wed, Apr 09, 2008 at 14:22 -0700: > Each peer goes through this process: > 1) peer creates a keypair > 2) peer generates a CSR (certificate signing request) for its public key. > 3) peer connects to server, submits CSR along with whatever > information necessary to determine that the certificate should be > issued. > 4) Server signs the certificate with its private key, and sends signed > certificate back to peer. peer and server disconnect.
(That means the CA remotely signs online submitted CSRs and sends back a Cert immediately? Maybe such a CA would not be that trustworthy...) > Then, on peer-peer connection: > 1) peer(listener) presents its own certificate, requests > peer(connector) certificate from same CA. > 2) peer(connector) verifies peer(listener)'s certificate (and proof > that it has the private key paired with the pubkey in that > certificate), presents its own certificate. > 3) peer(listener) verifies peer(connector)'s certificate (and proof > that it has the private key paired with the pubkey in that > certificate). > > Each peer has a copy of the CA certificate in its trusted root > authorities store. When they receive a peer certificate, they verify > the signature on that certificate as being from that CA, and then > verify that the peer that it's talking with actually has the private > key associated with that certificate. Then they look at the > information in that certificate (expiration date, etc). > > This is what TLS with client authentication does. Yes, then it is know if the peer's identity is authentic. For instance, that it is really is `Malicious Hacker' from China that is connected (and noone else can decrypt data sent to them :)), as the certificate correctly states, protected by strong cryptography... Without authorisation this probably would be too weak. Often it might be needed to find out if the identity / entity that is connected (and authenticated) is authorised to use the particular service. oki, Steffen About Ingenico Throughout the world businesses rely on Ingenico for secure and expedient electronic transaction acceptance. Ingenico products leverage proven technology, established standards and unparalleled ergonomics to provide optimal reliability, versatility and usability. This comprehensive range of products is complemented by a global array of services and partnerships, enabling businesses in a number of vertical sectors to accept transactions anywhere their business takes them. www.ingenico.com This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
