> Hi, all. I'm hoping somebody can clarify the confusion for me.
>
> Do certs need to be guarded or not?
Almost never.
> Because what happens if
> you're doing client-side
> authentication and a server asks you for your cert, caches it and
> that server is later
> compromised?
Nothing.
> What will prevent somebody from stealing my cert
> and going around pretending to be
> me?
Conceptually, the cert proves that you are you, not that whoever
presents
it is you. Procedurally, the cert associates a particular private key with a
particular identity. Since they don't have your private key, proving that
the holder of the private key is you (which is what the certificate does)
doesn't help them.
DS
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List openssl-users@openssl.org
Automated List Manager [EMAIL PROTECTED]
