Al,
I'm afraid that while you are technically correct, you might leave the wrong
impression. Although, it is true that there is little to *prevent* a user
from handing out his private key, there is also no reason for users to do
this and applications do not generally make it easy. Also, in this respect
the server digital ID is no more secure than the client ID.
There is no way to verify anything on this earth with complete certainty;
fortuhnately, that but that is not the aim of cryptography and does not
appear to be in the OpenSSL project goals.
Greg Stark
Who?Vision Systems, Inc.
[EMAIL PROTECTED]
----- Original Message -----
From: "Al Shaver" <[EMAIL PROTECTED]>
To: <[EMAIL PROTECTED]>
Sent: Friday, April 28, 2000 10:01 AM
Subject: Re: Client Authentication??
> Michael -
>
> It's true that a cert won't function unless the cert
> holder also has the corresponding private key,
> but the ongoing discussion about these
> certs was assuming that the owner of the
> private/public
> key pair would distribute everything (cert, BOTH keys,
> etc) to other parties.
>
> Several responses to the original post (and to the
> follow-ups) have nicely summarized the issue, and it
> boils down to this: there's no way to verify with
> complete certainty that the holder of a client
> certificate is the cert's owner. Period.
>
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]
