Jan Meijer wrote:
>
>
> Well, in PGP the fingerprint is defined somewhat like a hashvalue over the
> public key data, the emailaddress and the date (i think).
>
> When you issue a netscape client certificate the certificate also contains a
> fingerprint. I do not exactly know what this fingerprint means (perhaps
> someone else does?), but I'd like to know (if it is possible) the
> fingerprint before certifying. It all has to do with the verification
> process we want to do before certifying a key.
>
Well no. The Netscape fingerprint if the MD5 hash of the DER encoding of
the certificate (compatible with the -fingerprint option of 'x509') so
by definition you can't determine if before you issue the certificate.
However...
> The process can be described as follows:
>
> 1. applicant requests certificate (submits public key to enrollment)
> 2. enrollment server sends back key details (things identifying the key for
> 100%) (I know, this can be cracked, we solved it procedureally :)
> 3. CA verifies link between applicant and organisation (it's our office CA)
> 4. CA verifies link between applicant and public key and verifies identity
> of applicant
> 5. CA signs certificate request
> 6. CA handsout certificate
>
> During 4 the verification of the identity is done fairly easily (passport
> etc.), but the applicant also needs to be sure the key he submitted for
> certification is the key described on the form he is about to sign (the form
> states: Yes, I'm the person described here and yes, what is described here
> in keysize, algorithm and "fingerprint" is MY public key. Yes, I'm sure.
> Yes, I'm sure, sign my key! Sorry, need to go home.)
>
> but: I hope I've made my problem clear. Both the applicant and the CA need
> to know what public key they're talking about. In PGP there is the
> fingerprint mechanism, in netscape also, but it only works _after_
> certification :( and I need it before.....
>
Hmmm this is sort of a Netscape problem. A key that doesn't yet have a
certificate is invisible and cannot be used. After the initial SPKAC
containing the public key and signature you can't get anything else out
of it.
Anyway I gather you want to have the user make sure it is their public
key. However the question is why? If the public key doesn't correspond
to a private key in Netscape's database then it wont install the
certificate.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
