Re: Client Authentication??

Lutz Jaenicke Tue, 25 Apr 2000 09:21:20 -0700
On Tue, Apr 25, 2000 at 10:25:01AM -0400, Brian Snyder wrote:
> Al and others,
> 
> Hi.  Thanx for your response. I realize that gives an extra level of
> security from the **SERVER** side. 
> What I am specifically referring to is the **client** authorization allowed
> with SSL3.0  If you look at the versisign link I pointed to below, it
> talks about this optional ability w/ ssl3.0, where the server can ask the
> client for HIS/HER certificate.  This is what I'm specifically
> curious about, because how would they define a client certificite where it
> couldn't be copied.  I suppose utilizing the same
> security as you have mentioned for server authentication, whereby the
> certificate is keyed to the computer in some way, though I couldn't 
> envision this working very well... what if a person uses multiple computer
> (work/home) then this method wouldn't work...

You have already completely understood the situation. (No smiley appended,
since I don't know whether :-( or :-) would be appropriate.)
The client certificate is just like any other type of key. I can hand the
key to my appartment to my neighbours to take care of my plants while being
absent. The lock does not care who uses the key.
The same applies to digital certificates. You can copy them as often as you
want, as long as they are not fixed to some piece of hardware (e.g. some
smart card). If they are fixed to some hardware, I can still hand them to
everybody I want.
The culprit is that the client does not _want_ to give the certificate away,
since it is his account that is ruined... If he does not care, you cannot
stop him.

If you want to check the identity of the _person_ using the certificate,
you must check some biological properties of his/her body (fingerprint,
iris scan or whatever) and you must enforce that only certificates combined
with these properties are created...

Best regards,
        Lutz
-- 
Lutz Jaenicke                             [EMAIL PROTECTED]
BTU Cottbus               http://www.aet.TU-Cottbus.DE/personen/jaenicke/
Lehrstuhl Allgemeine Elektrotechnik                  Tel. +49 355 69-4129
Universitaetsplatz 3-4, D-03044 Cottbus              Fax. +49 355 69-4153
______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]
Re: Client Authentication??

Reply via email to
