> On 26 Jun 2016, at 21:59, Keary Suska <cocoa-...@esoteritech.com> wrote: > > >> On Jun 25, 2016, at 8:44 PM, Gerriet M. Denkmann <gerr...@mdenkmann.de> >> wrote: >> >> Following TN2326 I created a (self signed) Certificate Authority and a >> Digital Identity called "MyServerId". >> > <snip> > >>> We are now falling into the rabbit hole that is peer-to-peer trust & >>> identity. How is your server going to identify it so that a client will >>> know that it’s the server it expects? I don’t know whether you’ve given any >>> thought to this; the answer affects how you’d implement this part of the >>> app. >> >> I have thought about this, but I am not at all sure that my thoughts are >> correct. >> Currently (as indicated in the code above) my client has a copy of the real >> server certificate and compares it with the certificate obtained from its >> inputStream. >> I am not sure whether putting the server certificate into the client is ok >> or a breach of security. >> >> That is: the client will accept any server which has signed with the server >> certificate. > > Self-signed certificates can only offer encryption, but cannot offer trust > because they are not verifiable. You can’t use the server certificate as a > key since you pass that key out to anyone who wants it (in your app), and > anyone who gets it can impersonate the server.
Assume that an evil entity has got hold of “MyServerCertificate.cer”, but has no access to my keychain and thus to the private key of MyServerCertificate. Could they use this certificate to open a secure stream to a client? Or do they need the private key to sign? > I am unclear to me whether you are after a client-server (i.e. all servers > are under your control) or peer-to-peer (i.e. every client is a server and > every server is a client)) model? There is just one server, which is under my control. Kind regards, Gerriet. _______________________________________________ Cocoa-dev mailing list (Cocoa-dev@lists.apple.com) Please do not post admin requests or moderator comments to the list. Contact the moderators at cocoa-dev-admins(at)lists.apple.com Help/Unsubscribe/Update your Subscription: https://lists.apple.com/mailman/options/cocoa-dev/archive%40mail-archive.com This email sent to arch...@mail-archive.com
