* Kyle Hamilton wrote on Wed, Apr 09, 2008 at 14:22 -0700:
> Each peer goes through this process:
> 1) peer creates a keypair
> 2) peer generates a CSR (certificate signing request) for its public key.
> 3) peer connects to server, submits CSR along with whatever
> information necessary to determine that the certificate should be
> issued.
> 4) Server signs the certificate with its private key, and sends signed
> certificate back to peer.  peer and server disconnect.

(That means the CA remotely signs online submitted CSRs and sends
 back a Cert immediately? Maybe such a CA would not be that
 trustworthy...)

> Then, on peer-peer connection:
> 1) peer(listener) presents its own certificate, requests
> peer(connector) certificate from same CA.
> 2) peer(connector) verifies peer(listener)'s certificate (and proof
> that it has the private key paired with the pubkey in that
> certificate), presents its own certificate.
> 3) peer(listener) verifies peer(connector)'s certificate (and proof
> that it has the private key paired with the pubkey in that
> certificate).
> 
> Each peer has a copy of the CA certificate in its trusted root
> authorities store.  When they receive a peer certificate, they verify
> the signature on that certificate as being from that CA, and then
> verify that the peer that it's talking with actually has the private
> key associated with that certificate.  Then they look at the
> information in that certificate (expiration date, etc).
> 
> This is what TLS with client authentication does.

Yes, then it is know if the peer's identity is authentic. For
instance, that it is really is `Malicious Hacker' from China that
is connected (and noone else can decrypt data sent to them :)),
as the certificate correctly states, protected by strong
cryptography...

Without authorisation this probably would be too weak. Often it
might be needed to find out if the identity / entity that is
connected (and authenticated) is authorised to use the particular
service.

oki,

Steffen
 
About Ingenico Throughout the world businesses rely on Ingenico for secure and 
expedient electronic transaction acceptance. Ingenico products leverage proven 
technology, established standards and unparalleled ergonomics to provide 
optimal reliability, versatility and usability. This comprehensive range of 
products is complemented by a global array of services and partnerships, 
enabling businesses in a number of vertical sectors to accept transactions 
anywhere their business takes them.
www.ingenico.com This message may contain confidential and/or privileged 
information. If you are not the addressee or authorized to receive this for the 
addressee, you must not use, copy, disclose or take any action based on this 
message or any information herein. If you have received this message in error, 
please advise the sender immediately by reply e-mail and delete this message. 
Thank you for your cooperation.
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to