> AngelWarrior <srikanth.bemin...@gmail.com> writes: > > > but this still requires a CA kind of certificate right. > > I dont know if the client will be have a CA certificate > > to authenticate it.If I am wrong please explain me how > > it can be done. > > The server must have or know something that an attacker does not > have or know. Otherwise, there is no way for the client to know > that it is talking to the server, which you have said is a requirement. > > So the question is: What would you like to be that something that > the server has or knows that an attacker cannot have or know? > > It can be a CA certificate, but it does not have to be. > However, it must be something. > > DS
Sorry to reply to myself, but I should clarify: That something the server has or knows, must be from the perspective of the client. So "some random certificate I just generated" doesn't work because an attacker can also generate some random certificate. Though they can't generate the exact same certificate the server happened to generate, the client must have some way to tell the difference. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
