"Kenneth R. Robinette" wrote:
> okay, well try this approach:
>
> 1. Give your public key to anyone who want its (email what ever..)
> 2. create an SSL connection from client to server.
> 3. Verify that the server is who you think it is (via the public key)
> (client can now trust server)
> 4. Pass an encrypted token to the client (encrypted with client password)
> 5. client decrypts and replies with the decrypted token ( server can now
> trust client )
Sorry, I don't see how. There's no binding between a client (using
*what* as an identifier?) and the public key. This kind of ad hoc
thinking by amateurs never results in a protocol worthy of deployment.
The whole concept of encrypting public keys is ludicrous, and it
doesn't matter what the answers are when you're asking the wrong
questions.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]