Actually, he did answer my question precisely. I asked if there was a way to create an ephemerally (i.e., unauthenticated) encrypted session, after which I could exchange certificates.
My intent is to thwart Eve (the eavesdropper... i.e., the sysadmin who is doing network monitoring, as an example). I am aware that Mallory (the malicious peer who wants to be the MITM) could obtain the credentials on the renegotiation; however, that requires an active attempt to violate the security of the connection [and thus the 'secrecy' of the contents of the certificates]. My issue is that user certificates from standard CAs tend to include a lot more information about individuals (CN="This User", CI="Cityname", ST="Statename", C="countrycode") than any eavesdropper needs to know, thus making identity theft attacks much easier when someone's spying on the line. So, I would like to make it explicit that someone maliciously obtaining the information from the certificate is doing so with no "but it was on the network in the clear!" defense... and thus, is provably attempting to access a data stream in an unauthorized fashion. Thanks, Dr. Henson. -Kyle H On 12/30/05, David Schwartz <[EMAIL PROTECTED]> wrote: > > > On Fri, Dec 30, 2005, Kyle Hamilton wrote: > > > Yes, you start with an unauthenticated ciphersuite (for example > > anon-DH) and > > then renegotiate the session. The initial handshake is sent in > > the clear, the > > second one would use the existing ciphersuite. > > > > That wont thwart a man in the middle attack on the initial anon-DH session > > though which would reveal the second handshake data. > > You usually make more sense than this. You start out saying "yes", > and then > present a way that doesn't do what he asked at all. > > DS > > > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager [EMAIL PROTECTED] > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]
