At 05:17 PM 8/24/01 +0200, you wrote:
> Just verify the signature of request with : openssl -req -verify -in
>requestfile
Thank-you, but I made a mistake asking the question.
What you are suggesting will detect a modified request (which is what I
wrote), but not someone substituting a different certificate request (that
is signed consistently, but is the wrong certificate completely).
What I should have asked is how to detect a *substitute* request. It will
be self-consistent, but will not match the correct private key.
One solution is to show that the certificate and private key are consistent
after signing, but there does not seem to be a way of doing this using openssl.
For example, Alice generates a request, sending it to Bob. Mallory
intercepts the message and substitutes a different request. Bob sign's
Mallory's request and returns it to Alice. Alice thinks she has a
certificate that matches her key and distributes it. Mallory then sends
data in Alice's name and people verify it against what is apparently
Alice's certificate.
That scenario isn't exactly what I'm worried about, but it illustrates the
problem.
Thanks again,
Andrew
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
