> > > considered as proposition to discussion. Real, secure programming should > > > be based on existing, well checked protocols (which is possible in this > > > case). > > > > The OP was going to embed his CA's private key in his installer. > > The OP was not thinking clearly about key management. My first response > to the OP outlined what needs to be done for key-management (a human > assisted enrollment process).
Thank you all for all the responses and the discussion. I learn from this discussion, that for a complete secured system, I need to consider the key management in better fashion. I will definitely think over it. But for now, I would like you guys to comment if the scheme of allowing the admin to create certificate through installer work ? I am assuming that the admin will guard the installer (and hence the cert generation capability) well, so that no one else gets to create a CA signed cert. Isn't this as if the installer itself is working as a CA tool, and the admin is acting as a local CA, issuing / creating certificates for the servers to use? I believe the MITM can be avoided with this, in the following way: The admin knows the name of the machine where he is installing the server. He will put this information in the certificate. The client will indeed verify this name as part of cert verification. We assume that acting as a local CA, the admin will not use installer to create incorrect certificates. BTW. I would like to know more about the finished messages David was talking about. Could someone point me to the documentation / article on this? Thank you once again. ~ Urjit DISCLAIMER ========== This e-mail may contain privileged and confidential information which is the property of Persistent Systems Pvt. Ltd. It is intended only for the use of the individual or entity to which it is addressed. If you are not the intended recipient, you are not authorized to read, retain, copy, print, distribute or use this message. If you have received this communication in error, please notify the sender and delete all copies of this message. Persistent Systems Pvt. Ltd. does not accept any liability for virus infected mails. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
