> > > if somebody intercepts the certificate while it is in transit
> > > on the network, this person can use this certificate ?
> > If you have a certificate you can verify something that's been signed
> > with the private key, or you can encrypt something so that only the
> > holder of the private key can decrypt it.
> > You can't "do anything bad" with a certificate. In particular, you
> > cannot sign anything with it.
> In fact I use certificate to establish a VPN, the handcheck is
> based only on the certificate.
> Thus if somebody intercepts a certificate it can use the VPN ?
> (because the VPN server accepts all connection if it knows CA
> which signed the certificate of the user)
A certificate essentially says something like "I am Verisign, and I
certify
that Joe Schmoe is the rightful owner of the private key whose corresponding
public key is X".
The certificate itself is generally considered public information and
it is
not a problem if the certificate is intercepted. If someone else presents
that certificate, it still conveys only the correct and valid information
that Joe Schmoe is the rightful owner of that key, as decided by Verisign.
I think your question comes out of a misunderstanding of what you
actually
*do* with a certificiate. In the example of a browser going to a secure web
site, the browser receives the certificate and does the following checks:
1) Is the certificate valid and properly signed by a certification
authority?
2) Do I trust that certificate authority for the purpose of
authenticating
web sites?
3) Is the name in the certificate actually the place I was trying to
reach?
(If I was trying to reach "www.amazon.com", is this the name in the
certificate?)
4) Can the machine I reached prove that it holds the corresponding
private
key to the public key in the certificate?
If all four questions get yes answers, then you see that little locking
icon. If the certificate is used by anyone else, they will fail test 4
unless they have the site's corresponding private key.
The same applies to a VPN authentication operation, assuming it's
properly
designed. Presenting the certificate is only one step. You still have to
prove that you are the party the certificate was issued to by demonstrating
possession of the private key.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
