> AngelWarrior <srikanth.bemin...@gmail.com> writes:
>
> > but this still requires a CA kind of certificate right.
> > I dont know if the client will be have a CA certificate
> > to authenticate it.If I am wrong please explain me how
> > it can be done.
>
> The server must have or know something that an attacker does not
> have or know. Otherwise, there is no way for the client to know
> that it is talking to the server, which you have said is a requirement.
>
> So the question is: What would you like to be that something that
> the server has or knows that an attacker cannot have or know?
>
> It can be a CA certificate, but it does not have to be.
> However, it must be something.
>
> DS

Sorry to reply to myself, but I should clarify:

That something the server has or knows, must be from the perspective of the
client. So "some random certificate I just generated" doesn't work because
an attacker can also generate some random certificate. Though they can't
generate the exact same certificate the server happened to generate, the
client must have some way to tell the difference.

DS


______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    openssl-users@openssl.org
Automated List Manager                           majord...@openssl.org

Reply via email to