OH, read this again. I retract my comment - I didn't spot the reference to mutual authentication.
There would be an alternative for the server end to trust a client certificate signed by the client's CA by trusting the client's root CA. Mike Wawiorko -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Mike Wawiorko Sent: 29 August 2019 10:51 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: vendor distributes their private key This mail originated from outside our organisation - 0000014ab5cdfb21-dmarc-requ...@listserv.ua.edu Charles sent this "But for certificate-based client authentication, the server admin must send the client admin a client certificate AND its private (???) key." Surely that should say public key. Or am I missing something? Mike Wawiorko I Mainframe Connectivity I Global Technology Infrastructure and Services Tel +44 (0)330 1535515 I Internal 81535515 I Mobile +44 (0)7824 527120 Email mike.wawio...@barclays.com Barclays, Wilson Technology Lab GB12, BTC Radbroke, WA16 9EU (Mail Van 49) barclays.com -----Original Message----- From: IBM Mainframe Discussion List <IBM-MAIN@LISTSERV.UA.EDU> On Behalf Of Charles Mills Sent: 29 August 2019 00:19 To: IBM-MAIN@LISTSERV.UA.EDU Subject: Re: vendor distributes their private key ... But for certificate-based client authentication, the server admin must send the client admin a client certificate AND its private key. Why? Philosophically, because a client certificate signed by a trusted CA does not prove the authenticity of the client. A man-in-the-middle might have previously intercepted the certificate and now be sending it out from HIS client as its own. ... Charles ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN
