AngelWarrior wrote: > but this still requires a CA kind of certificate right. > I dont know if the client will be have a CA certificate > to authenticate it.If I am wrong please explain me how > it can be done.
The usual solution (as used on secure web pages, for credit card orders, and so on) is as follows: 1) The client connects to the server, knowing the name of the server it wants to reach (say, 'www.amazon.com' or 'www.paypal.com'. 2) The server proves its identity to the client with a CA-issued certificate. The client confirms that the certificate is validly signed by a CA it trusts, issued to the name of the server it wanted to reach, and that the server it connects to knows the private key corresponding to the public key in the server. - - At this stage, the client knows it has a secure connection to the server it wants. The server has no idea who it's talking to. - - 3) The client proves its identity to the server with a user/account name and password. The user knows it is talking to the correct server, and so can send its password without fear. - - At this stage, each end knows who it is talking to and knows that there cannot be any interceptors or MITMs (unless one side has not done what it was supposed to do, but you can always compromise your own security). - - There is no need for the client to have a certificate unless there is no other way for the client to prove its identity to the server. DS ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
