question about ssl certs

Previous Topic Next Topic
 
classic Classic list List threaded Threaded
4 messages Options
Reply | Threaded
Open this post in threaded view
|

question about ssl certs

Igor-5
Hi, all.  I'm hoping somebody can clarify the confusion for me.

Do certs need to be guarded or not?  Because what happens if you're doing client-side
authentication and a server asks you for your cert, caches it and that server is later
compromised?  What will prevent somebody from stealing my cert and going around pretending to be
me?

Thank you.

__________________________________________________
Do You Yahoo!?
Tired of spam?  Yahoo! Mail has the best spam protection around
http://mail.yahoo.com 
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: question about ssl certs

Richard Salz
> What will prevent somebody from stealing my cert and
> going around pretending to be me?

"Okay, if you're Susan, this this blob: xxxxxx"

Without your *private* key, they cannot do that.  Therefore, they cannot
pretend to be you.  If they did, it be like accepting a passport or
driver's license without seeing if it's your picture.


        /r$

--
SOA Appliances
Application Integration Middleware




______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

Re: question about ssl certs

Richard Salz
> > What will prevent somebody from stealing my cert and
> > going around pretending to be me?
>
> "Okay, if you're Susan, this this blob: xxxxxx"

Sign.  The challenge is "sign this blob...."
 
> Without your *private* key, they cannot do that.  Therefore, they cannot

> pretend to be you.  If they did, it be like accepting a passport or
> driver's license without seeing if it's your picture.
>
>
>         /r$
>
> --
> SOA Appliances
> Application Integration Middleware

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]
Reply | Threaded
Open this post in threaded view
|

RE: question about ssl certs

JoelKatz
In reply to this post by Igor-5

> Hi, all.  I'm hoping somebody can clarify the confusion for me.
>
> Do certs need to be guarded or not?

        Almost never.

> Because what happens if
> you're doing client-side
> authentication and a server asks you for your cert, caches it and
> that server is later
> compromised?

        Nothing.

> What will prevent somebody from stealing my cert
> and going around pretending to be
> me?

        Conceptually, the cert proves that you are you, not that whoever presents
it is you. Procedurally, the cert associates a particular private key with a
particular identity. Since they don't have your private key, proving that
the holder of the private key is you (which is what the certificate does)
doesn't help them.

        DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [hidden email]
Automated List Manager                           [hidden email]