Al and others,
Hi. Thanx for your response. I realize that gives an extra level of
security from the **SERVER** side.
What I am specifically referring to is the **client** authorization allowed
with SSL3.0 If you look at the versisign link I pointed to below, it
talks about this optional ability w/ ssl3.0, where the server can ask the
client for HIS/HER certificate. This is what I'm specifically
curious about, because how would they define a client certificite where it
couldn't be copied. I suppose utilizing the same
security as you have mentioned for server authentication, whereby the
certificate is keyed to the computer in some way, though I couldn't
envision this working very well... what if a person uses multiple computer
(work/home) then this method wouldn't work...
Any ideas?
Thanx,
brian
> -----Original Message-----
> From: Al Shaver [mailto:[EMAIL PROTECTED]]
> Sent: Monday, April 24, 2000 10:59 PM
> To: [EMAIL PROTECTED]
> Subject: Re: Client Authentication??
>
>
> Brian,
>
> You're correct in that the certificate is just a file
> - however, it's a file with certain information
> encrypted into it that identifies the common name of
> the server that will be using it. For example, if Acme
> Corporation
> applies for and is issued a certificate, they must
> supply the server name (perhaps www.acme.com) as part
> of the registration process. That server name becomes
> part of the information encrypted into the
> certificate.
>
> Now, once that certificate is installed in Acme's
> webserver, a web browser can verify that name in the
> certificate matches the web server name it's being
> served from. If the webmaster at Acme were to give a
> copy of the certificate to the webmaster at General
> Widgets Corp. and the certificate was served to a web
> browser, the browser would present the user with a
> warning message that the server name in the
> certificate
> didn't match the name of the server the browser is
> connecting to (i.e., www.acme.com does not match
> www.generalwidgets.com).
>
> Hope this helps.
>
> Regards,
> Al Shaver
> [EMAIL PROTECTED]
>
> --- Brian Snyder <[EMAIL PROTECTED]> wrote:
> >
> >
> > I have a quick question about client
> > authentication.
> >
> > How exactly is authenticity gauranteed? If verisign
> > (or whoever) gives one
> > a digital ID, this is just a file on the computer.
> >
> > Whats to stop said person from sharing this
> > signature and giving it to all
> > his friends. The way I understand it, and from what
> > I've
> > read on the topic at
> > (http://www.verisign.com/clientauth/), it seems like
> > they want to use digital IDs for client
> > authentication, to
> > okay business transactions and the like. It seems
> > extremely easy to copy
> > and redistribute one's keys so how exactly does this
> > give the server authentication?
> >
> > TIA,
> > brian
> >
> >
> >
> >
>
> > ATTACHMENT part 2 application/octet-stream
> name=Brian Snyder.vcf
>
>
> __________________________________________________
> Do You Yahoo!?
> Send online invitations with Yahoo! Invites.
> http://invites.yahoo.com
> ______________________________________________________________________
> OpenSSL Project http://www.openssl.org
> User Support Mailing List [EMAIL PROTECTED]
> Automated List Manager [EMAIL PROTECTED]
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
