Yunhong Li wrote:
>
> >From my understanding, the client cert is transmitted in clear.
> When server receives the client cert, server verifies the client
> cert using a CA (or chained CAs), like verifying the date, signature,
> etc. The question I have is that whoever could intercepts the client
> cert could fake the client. Am I right?
>
No because in addition to the certificate the client signs some data
with the private key corresponding to the public key in the certificate.
The server then verifies this signature as well as the certificate.
Anyone intercepting a client certificate will not know the private key
and so cannot impersonate the client.
Steve.
--
Dr Stephen N. Henson. http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED]
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
