On Thu, Apr 10, 2008 at 3:36 AM, David Schwartz <[EMAIL PROTECTED]> wrote: > > Kyle Hamilton wrote: > > > You can have B contact the server and obtain a signed "authorization > > certificate" for its key that uses custom extensions to specify 'is > > authorized to connect to A' for a given timeframe, and have that be > > the certificate that B presents when connecting to A. Then, A looks > > for the 'authorized to connect to' list, finds itself in there, checks > > validity time, and makes the decision based on that. No need to share > > the public keys, nor is there a need to tell both sides about it if > > the signature can be verified. > > > > If you want the server to mediate access between peers without having > > to have your clients constantly connected to the server, that's a way > > to do it. > > Maybe I'm missing something, but it doesn't seem to me like that would work. > How does B know it is talking to A? If you expect the "is authorized to > connect to" certificate to contain both public keys, then how can you say "no > need to share the public keys"? And if not, how does B know it is talking to > A and A to B?
I'm assuming bidirectional authentication, and thus no need to preshare the public keys. B knows it's talking to A because of the CN of the certificate that A presents as part of the SSL/TLS handshake. A CN uniquely identifies a given resource within the CA's identity-management realm. A knows that it's talking to B because of the CN of the certificate that B presents. A also knows that B is authorized because of the custom extension included in the certificate that B presents. (The format and specification of the custom extension are implementation details; I'd suggest that since B knows that it's requested access to A, then the server can pass the current means of contacting A as well as the certificate that A can verify as allowing access. Or, that current information can just be part of the certificate that the server issues to B.) -Kyle H ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
