On 11/22/06, Chris Covington <[EMAIL PROTECTED]> wrote:
On 11/22/06, David Schwartz <[EMAIL PROTECTED]> wrote:
> > OK, perhaps I need to explain this more. I have a client cert
> > scenario where in order to verify the client's identity a certificate
> > is used instead of a username / password. I would not like for anyone
> > to be able to just grab the client certificate and impersonate, so I
> > would like to add a password to the cert. I would think this would be
> > similar to where for instance Verisign sends you a certificate for
> > your webserver, and it has a password on it. Am I mistaken?
> >
> > Chris
>
> No, you are completely confused and really need to read some basic
> information about public-key encryption before you go any further. The whole
> point of the authentication scheme is that the certificate is public. If it
> wasn't, how could the server send it to you to prove it's identity?
>
> If you want to see, for example, Amazon.com's certificate, type this:
> openssl s_client -host www.amazon.com -port 443
> And in a few seconds, Amazon's certificate will appear for you to see.
I am most likely using the wrong terms (but I may be completely
confused, I admit). When one distributes client certificates to take
the place of usernames/passwords for authentication, how is that
commonly referred to? Let's say I wanted to create an application
where one logs in with only his certificate, not his username and
password, and there is no rsa private key corresponding to that client
woops, I mean that the rsa private key is not password-protected.
thanks
Chris
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
