Hi all,
This weekend I read the SSL spec and I am wondering about the following.
Suppose I am a the owner of an e-shop and I have a secure webserver. In
order to make sure that all product orders I get are for real, I require
that clients present a valid certificate during the SSL handshake.
However, since after the handshake SSL switches to an encryption method
based on symmetric keys (right?), it makes no sense to store the
encrypted order of a client in a database, because the client can always
argue that I made up the encrypted order myself (which I can since I
know the symmetric key). The only thing the client cannot deny is that
he has made a secure connection with my webserver, but apart from that
nothing can be proven.
Is this right, and if yes, is there a way within SSL (openssl) to
provide non-repudiation?
Thanks for your attention,
Maurice
--
Maurice klein Gebbinck <[EMAIL PROTECTED]>
Joint Research Centre, Space Applications Institute
Strategy and Systems for Space Applications unit, TP 261
21020 Ispra (VA), Italy
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
