Re: vendor distributes their private key

Thu, 29 Aug 2019 18:38:57 -0700 

On 29/08/2019 9:18 am, Charles Mills wrote:


But for certificate-based client authentication, the server admin must send the 
client admin a client certificate AND its private key. Why? Philosophically, 
because a client certificate signed by a trusted CA does not prove the 
authenticity of the client. A man-in-the-middle might have previously 
intercepted the certificate and now be sending it out from HIS client as its 
own.



This doesn't sound right somehow. I suspect it is often implemented that 
way, but it sounds worse than password authentication with a good password.


With a password:
- the server admin supplies a password

- you are forced to change the password, the server admin should not 
know the new password
- It's considered bad if the server admin can e.g. run a cracking tool 
to find out your password


With the certificate based client authentication as described
- The server admin has your credentials
- you can't change them?

My understanding of the way client authentication is supposed to work

- The client generates a public/private key pair

- The public key is incorporated into a certificate, signed by a CA. In 
this case it is quite valid for the server admin to be the CA. At this 
point the CA needs to verify the identity of the client.
- The client presents the certificate, and uses the private key known 
only to them to prove that the certificate belongs to them. Like a 
password, it is up to the client to protect the private key and no-one 
else, including the server admin should know the private key.



It doesn't matter if the man-in-the-middle has the certificate, because 
they can't use it without the private key. The private key is never 
transmitted, so no-one in the middle has the opportunity to intercept it.



It might be common for the server admin to generate the client 
certificates and keys because the alternative is hard to implement and 
manage, but it is roughly equivalent to sending passwords that the 
client is not allowed to change.


--
Andrew Rowley
Black Hill Software

----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to lists...@listserv.ua.edu with the message: INFO IBM-MAIN























					Reply via email to