Re: Client Authentication and Private Key

[Ken Goldman]

Intuitively, you have to know that the client needs it's private key
for something.  Since the public key certificate is public, it alone
can't prove that the client is you.  Anyone can send your certificate
to a server, right?

In practice, the server walks the certificate chain, which proves that
the certificate is cryptographically valid.  It then sends a challenge
to the client, which the client signs with its private key.  Once the
server verifies the signature using the client public key, it knows
that the client is you (only if it trusts the certificate chain.).

> If the client sends the server its certificate (public key) and the
> server validates the signature against the list of CA's to see if the
> client is authenticated/valid then my question is... if the client is
> not going to use the private key for signing does it even NEED the
> primary key AT ALL? Can it be deleted?

-- 
Ken Goldman   [EMAIL PROTECTED]   914-784-7646
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]

Re: Client Authentication and Private Key

[Chris Covell]

As I understand it, the client signs data sent from the server in
order to authenticate itself. Therefore yes it does need its private
key.


On Tue, 18 Jan 2005 11:17:01 +, Shaun Lipscombe
<[EMAIL PROTECTED]> wrote:
> 
> If the client sends the server its certificate (public key) and the
> server validates the signature against the list of CA's to see if the
> client is authenticated/valid then my question is... if the client is
> not going to use the private key for signing does it even NEED the
> primary key AT ALL? Can it be deleted?
> __
> OpenSSL Project http://www.openssl.org
> User Support Mailing Listopenssl-users@openssl.org
> Automated List Manager   [EMAIL PROTECTED]
>
__
OpenSSL Project http://www.openssl.org
User Support Mailing Listopenssl-users@openssl.org
Automated List Manager   [EMAIL PROTECTED]