Why is a client certificate needed?

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
5 messages Options
Reply | Threaded
Open this post in threaded view
|

Why is a client certificate needed?

michael Dorrian
This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip address in the certificate but the certificate and ip address could be anyones?. Therefore all i need if i want to connect to the server is the same root CA as the server and then make my own client certificate and then connect to the server. In this case the root CA is all i need to have to make my client CA. Therefore, why is this check needed at all?.


Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.
Reply | Threaded
Open this post in threaded view
|

Re: Why is a client certificate needed?

michael Dorrian
sorry typo client CA = client cert.

michael Dorrian <[hidden email]> wrote:
This is the scenario. I have a root CA which i use to sign both the client certificate and server certificate. When you are checking the client certificate all you are checking is if the ip address matches the ip address in the certificate but the certificate and ip address could be anyones?. Therefore all i need if i want to connect to the server is the same root CA as the server and then make my own client certificate and then connect to the server. In this case the root CA is all i need to have to make my client CA. Therefore, why is this check needed at all?.

Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates starting at 1¢/min.


New Yahoo! Messenger with Voice. Call regular phones from your PC and save big.
Reply | Threaded
Open this post in threaded view
|

Re: Why is a client certificate needed?

Kyle Hamilton
In reply to this post by michael Dorrian
A client certificate does not identify an IP or domain name, a client
certificate identifies a user.

A server certificate identifies an IP or domain name (usually domain name).

And to follow up to your other question (how to make it a warning
instead of an error): If you're programming, you set a callback for
cert_verify (or whatever it's called, I'm too tired to look it up
right now).  Then, you can look at the verify return code -- if it's
UNKNOWN_CA, then you can present a dialog to the user.  This happens
before any actual application data is transmitted on the wire.

-Kyle H

On 3/30/06, michael Dorrian <[hidden email]> wrote:

>
> This is the scenario. I have a root CA which i use to sign both the client
> certificate and server certificate. When you are checking the client
> certificate all you are checking is if the ip address matches the ip address
> in the certificate but the certificate and ip address could be anyones?.
> Therefore all i need if i want to connect to the server is the same root CA
> as the server and then make my own client certificate and then connect to
> the server. In this case the root CA is all i need to have to make my client
> CA. Therefore, why is this check needed at all?.
>
>
>  ________________________________
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
> starting at 1¢/min.
>
>
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: Why is a client certificate needed?

michael Dorrian
Thanks alot for the info kyle. I think i should be able to figure out that callback function myself. Thanks again.

Kyle Hamilton <[hidden email]> wrote:
A client certificate does not identify an IP or domain name, a client
certificate identifies a user.

A server certificate identifies an IP or domain name (usually domain name).

And to follow up to your other question (how to make it a warning
instead of an error): If you're programming, you set a callback for
cert_verify (or whatever it's called, I'm too tired to look it up
right now). Then, you can look at the verify return code -- if it's
UNKNOWN_CA, then you can present a dialog to the user. This happens
before any actual application data is transmitted on the wire.

-Kyle H

On 3/30/06, michael Dorrian wrote:

>
> This is the scenario. I have a root CA which i use to sign both the client
> certificate and server certificate. When you are checking the client
> certificate all you are checking is if the ip address matches the ip address
> in the certificate but the certificate and ip address could be anyones?.
> Therefore all i need if i want to connect to the server is the same root CA
> as the server and then make my own client certificate and then connect to
> the server. In this case the root CA is all i need to have to make my client
> CA. Therefore, why is this check needed at all?.
>
>
> ________________________________
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
> starting at 1¢/min.
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


How low will we go? Check out Yahoo! Messenger’s low PC-to-Phone call rates.
Reply | Threaded
Open this post in threaded view
|

Re: Why is a client certificate needed?

michael Dorrian
In reply to this post by Kyle Hamilton
Slight problem....that unknown_CA error for some reason only appears on the server side not the client....

Kyle Hamilton <[hidden email]> wrote:
A client certificate does not identify an IP or domain name, a client
certificate identifies a user.

A server certificate identifies an IP or domain name (usually domain name).

And to follow up to your other question (how to make it a warning
instead of an error): If you're programming, you set a callback for
cert_verify (or whatever it's called, I'm too tired to look it up
right now). Then, you can look at the verify return code -- if it's
UNKNOWN_CA, then you can present a dialog to the user. This happens
before any actual application data is transmitted on the wire.

-Kyle H

On 3/30/06, michael Dorrian wrote:

>
> This is the scenario. I have a root CA which i use to sign both the client
> certificate and server certificate. When you are checking the client
> certificate all you are checking is if the ip address matches the ip address
> in the certificate but the certificate and ip address could be anyones?.
> Therefore all i need if i want to connect to the server is the same root CA
> as the server and then make my own client certificate and then connect to
> the server. In this case the root CA is all i need to have to make my client
> CA. Therefore, why is this check needed at all?.
>
>
> ________________________________
> Talk is cheap. Use Yahoo! Messenger to make PC-to-Phone calls. Great rates
> starting at 1¢/min.
>
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [hidden email]
Automated List Manager [hidden email]


Yahoo! Messenger with Voice. PC-to-Phone calls for ridiculously low rates.