Hi Brian,
I believe the security relies on the fact that you DON'T
share the keys with your friends.
Based on subsequent posts, let me clarify that for a certificate
to be useful, there is both the private key and the public
key. Verisign doesn't just "give" you a file. When you begin
the certificate request process, you generate a public-private
key pair. Your browser keeps the private key, and gives the
public key in a certificate signing request to Verisign. Verisign
then signs the request, and gives you back the resulting
certificate file containing your public key. That certificate
is useless without your private key.
Having said that, with client auth, the client side cert is
public domain information. But having it is useless without
the associated key that is stored on your PC. If you redistribute
the keys, well, you've blown your security. Would you give
out your bank card and associated pin number to your friends?
If you did, you would have little recourse when you went to
the bank and complained that your account was cleaned out.
The whole authentication scheme relies on two principals:
a) The trust in the CA and that THEIR private key hasn't
been compromised, meaning that I can trust that your
certificate was signed by the CA and not some impostor.
b) The trust that YOU didn't give away your private keys.
If you did, well, I would have no guarantee that I'm
talking to you anymore. (This is because when establishing
a handshake with a client providing a client side cert,
the process involves a check that allows the server to
confirm that the user providing the client side cert
has the matching private key, without actually requesting
the private key).
You mention that it is extremely easy to redistribute your
keys. While I can't argue with that point, I should point
out that it is not THAT easy. I.e. there are no user interfaces
that give away the keys - you have to go digging into appropriate
locations in your PC to dig out the information, and have a
reasonable amount of knowledge to do so...
Cheers, Thomas
Brian Snyder wrote:
>
> I have a quick question about client authentication.
>
> How exactly is authenticity gauranteed? If verisign (or whoever) gives one
> a digital ID, this is just a file on the computer.
>
> Whats to stop said person from sharing this signature and giving it to all
> his friends. The way I understand it, and from what I've
> read on the topic at (http://www.verisign.com/clientauth/), it seems like
> they want to use digital IDs for client authentication, to
> okay business transactions and the like. It seems extremely easy to copy
> and redistribute one's keys so how exactly does this
> give the server authentication?
>
> TIA,
> brian
>
>
--
------------------------------------------------------------
Thomas Reinke Tel: (905) 331-2260
Director of Technology Fax: (905) 331-2504
E-Soft Inc. http://www.e-softinc.com
Publishers of SecuritySpace http://www.securityspace.com
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
