On Tue, Oct 22, 2002 at 12:50:04PM +0200, Martin Witzel wrote: > > Except when you have an independent means to verify that > a) the self-signed certificate which you received druing the handshake > comes from the entity which claims to be the originator > b) you also feel comfortable to trust this entity which issues its own > certificate > self-signed server certificates are essentially meaningless.
Any certificate provide for public key that could be used to run some crypto protocol. It is crypto that actually creates value making verification tools working and trust possible. > Self-signed client certificates are even less useful in my opinion. The > server > sends as a selection of trusted certificates during the handshake, and the > client > is supposed to select the one certificate from its client certificates > which can be > traced to one of these trusted signing entities. Otherwise the client must > send > an alert. Since a self-signed client certificate can never be traced to > some other > independent signing entity, this mechanism must break for client > authentication. > The mechanism is described as part of the SSL spec, if I recall this right. > With > other words, a self-signed client cert is not even spec-conformant in my > opinion. According to RFC 2246, server sends (quoting) "list of the distinguished names of acceptable certificate authorities...[that] names may specify a desired distinguished name for a root CA or for a subordinate CA", clause 7.4.4 Client sends empty "client certificate" message in case (quoting) "if no suitable certificate is available" or it could send the alert. I cant find a requirement to reject self-signed client certificate that server could find in it's local database of known public keys. I could imagine a self-signed client certificate used to prove "I'm the same guy that send some electronic cash yesterday". That could work for the case of merchant who cares users to pay and dont care what's their name and whether it's confirmed by some well-known CA happy speculating, Vadim ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
