Hi,
> Yep.
>
> > I am not sure I understood it (partially because I never took a close look
> > to PGP ... blame me (!!!)): can you make some real example ? Cout that be
> > the public key itself contained in the SPKAC ?
>
> Well, in PGP the fingerprint is defined somewhat like a hashvalue over the
> public key data, the emailaddress and the date (i think).
>
> When you issue a netscape client certificate the certificate also contains a
> fingerprint. I do not exactly know what this fingerprint means (perhaps
> someone else does?), but I'd like to know (if it is possible) the
> fingerprint before certifying. It all has to do with the verification
> process we want to do before certifying a key.
The fingerprint is probably just an MD5 or SHA-1 hash of the encoded
certificate. For certificate requests, the obvious "fingerprint" to check
is a hash of the fully encoded certificate request. You might well find
that existing mechanisms for Netscape browsers and whatever else use
precisely this, and if they don't I would be at a loss as to why.
> During 4 the verification of the identity is done fairly easily (passport
> etc.), but the applicant also needs to be sure the key he submitted for
> certification is the key described on the form he is about to sign (the form
> states: Yes, I'm the person described here and yes, what is described here
> in keysize, algorithm and "fingerprint" is MY public key. Yes, I'm sure.
> Yes, I'm sure, sign my key! Sorry, need to go home.)
Well, bring in your passport and whatever else, and a hash of the
certificate request you sent. I will compare that with the hash of the
certificate request I received. If they're the same hash, either the
certificate requests match exactly, MD5 and/or SHA-1 are broken, or
someone has far far far far too many spare clock cycles and a particular
desire to forge your signatures. [;-)
The alternative of course is that you just bring in a complete copy of
your certificate request and compare those with what the CA received, but
hashes are designed to achieve the same security objective without
achieving the same degree of impracticality.
Cheers,
Geoff
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
