This is why in my other replies to whomever - I made the statement about how fast all this can be done. It takes at least 3 good handshakes to get onboard a SSL site - but, what matters the most is that &*_*&)^&^)*_**;qwepqowifskljfas that surrounds the key - is intact and not minus or plus one letter of symbol or corrupted in any way and what do the placements of those objects matter. That's what is being looked for in the comparisons of the algorithms that do the checking. Of course you want the inside data to be left intact - but, can you really do that and find it out without corrupting it's wrapper? in the length of time shorter than it takes for the originator to establish a legitimate connection? NO - you cannot, unless you are running a seamless proxy intercepting and passing on before you as you go. No impossible - but, usually done only outside the United States where it's uncontrolled. Most objects (subjects or persons -- whatever) in the U.S. don't even have the education to go there - so why bother worrying about it.
-----Original Message----- From: David Schwartz [mailto:[EMAIL PROTECTED] Sent: Tuesday, May 17, 2005 1:59 PM To: openssl-users@openssl.org Subject: RE: Re: simple question again > > > if somebody intercepts the certificate while it is in transit > > > on the network, this person can use this certificate ? > > If you have a certificate you can verify something that's been signed > > with the private key, or you can encrypt something so that only the > > holder of the private key can decrypt it. > > You can't "do anything bad" with a certificate. In particular, you > > cannot sign anything with it. > In fact I use certificate to establish a VPN, the handcheck is > based only on the certificate. > Thus if somebody intercepts a certificate it can use the VPN ? > (because the VPN server accepts all connection if it knows CA > which signed the certificate of the user) A certificate essentially says something like "I am Verisign, and I certify that Joe Schmoe is the rightful owner of the private key whose corresponding public key is X". The certificate itself is generally considered public information and it is not a problem if the certificate is intercepted. If someone else presents that certificate, it still conveys only the correct and valid information that Joe Schmoe is the rightful owner of that key, as decided by Verisign. I think your question comes out of a misunderstanding of what you actually *do* with a certificiate. In the example of a browser going to a secure web site, the browser receives the certificate and does the following checks: 1) Is the certificate valid and properly signed by a certification authority? 2) Do I trust that certificate authority for the purpose of authenticating web sites? 3) Is the name in the certificate actually the place I was trying to reach? (If I was trying to reach "www.amazon.com", is this the name in the certificate?) 4) Can the machine I reached prove that it holds the corresponding private key to the public key in the certificate? If all four questions get yes answers, then you see that little locking icon. If the certificate is used by anyone else, they will fail test 4 unless they have the site's corresponding private key. The same applies to a VPN authentication operation, assuming it's properly designed. Presenting the certificate is only one step. You still have to prove that you are the party the certificate was issued to by demonstrating possession of the private key. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
