> This is a naive question and excuse my ignorance if it has been asked
before:
It's actually a pretty good question.
> Assuming I have a client and server communication with SSL and only
> server certificate verification is used: How exactly the root certificat
> gets installed onto client machines? with microsoft internet explore
> there seems to be many trusted root certificate in the browser. are
> these already built in when the browser is installed, or are they
> somehow downloaded to the browser say at a later time?
Usually both. The browser comes with a list of trusted root certificate
pre-installed. Browser or operating system updates may include new trusted
root certificates or might remove old ones. Users can also install them
manually.
> Another question arises: if they are downloaded to the browser at a later
time,
> how is man in the middle attack prevented? how can I trust the root
certificate
> I downloaded is really from the CA and not swapped by someone in the
middle?
There are various ways. The most common is to use a root certificate
that's
already trusted. For example, if some large company creates their own CA and
root certificate, they could post that root certificate on a web site that
was using SSL and a Verisign certificate. The Verisign certificate would
simply confirm that I was connecting to the company's web server and I would
trust their server to give me the key.
Another way is to sign the key itself. Yet another way is to include a
signed 'installer' that installs the new root key.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
