Thank You for your help! I understand now, that the client would not be able to offer a certificate unless it owns the corresponding private key. So it is enough to check that the certificate offered (or its fingerprint), matches the certificate (resp. finger print) send to the server on a secure channel.
Thus I was able to finish implementing this part of the Phantom Protocol design. Thank you very much for your time, help and patience. :) Once I will have a first working prototype of the protocol, you will be able to check it our here: http://code.google.com/p/phantom/ (for now the code is in a private repository, as we are not sure yet, how much rights google takes for using their services to develop code) Michael On Fri, Sep 25, 2009 at 9:46 PM, Victor Duchovni < victor.ducho...@morganstanley.com> wrote: > On Fri, Sep 25, 2009 at 01:49:25PM +0200, Michael Prinzinger wrote: > > > Dear Victor, > > > > thanks for your help. > > The problem is that I need to understand OpenSSL and its mechanisms and > > No you need to understand SSL/TLS in general, and how to make use of > SSL in your protocol. The OpenSSL part will be easy, understanding SSL > (especially SSL with direct trust sans trust anchors) is I think your > main obstacle. > > > However I think it would be more secure to be able to verify that the > client > > is actually in posession of the private key belonging to this > certificate, > > right? > > SSL ensures that the SSL client has the private key for the peer > certificate that you find for the client at the end of the SSL session. > It is then up to your application to decide whether this is the right > peer to talk to, but the peer definitely knows how to solve the inverse > problem for the public key in question, presumably by having access to > the private key. > > Good luck. > > -- > Viktor. > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org >
