On 6/15/06, Dave Pawson <[EMAIL PROTECTED]> wrote:
3. Endpoint B (server/recipient of REST service)
Registers the CA as a trusted authority (how?)
'Has access' to the private key of the CA (the server and CA are
in reality one and the same organisation)
While that would be possible in theory, that's discouraged because of:
4. The client encrypts using the public key returned by the CA
5. The server decrypts using the private key.
isn't the way it should be done. Your ca person/team/machine whatever
should be as isolated from any day-to-day services you provide. One
would normally issue another certificate for the server, which in turn
is trusted by the client, because it trusts the ca. There should even
be a error saying something about encrypting (directly) to a
self-signed certs public key.
Your reference does say "The server returns the site's certificate"
which does NOT mean the site's ca certificate.
best regards,
K. Hoercher
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
