Ben - all client cert details are available to the servers that you present your certificate to. This is a dump of some of the standard details presented to the server in your client cert:
Client Certificate ------------------ SSL_CLIENT_A_KEY rsaEncryption SSL_CLIENT_A_SIG md5WithRSAEncryption SSL_CLIENT_I_DN /C=GB/L=London/O=XXX Limited/OU=Certificate Authority/CN=XXX Limited (Primary CA)[EMAIL PROTECTED] SSL_CLIENT_I_DN_C GB SSL_CLIENT_I_DN_CN XXX Limited (Primary CA) SSL_CLIENT_I_DN_Email [EMAIL PROTECTED] SSL_CLIENT_I_DN_L London SSL_CLIENT_I_DN_O XXX Limited SSL_CLIENT_I_DN_OU Certificate Authority SSL_CLIENT_M_SERIAL D5 SSL_CLIENT_M_VERSION 3 SSL_CLIENT_S_DN /C=GB/ST=20011211 110118/O=XXX Limited London/OU=Director/CN=Jeff [EMAIL PROTECTED] SSL_CLIENT_S_DN_C GB SSL_CLIENT_S_DN_CN Jeff xxx SSL_CLIENT_S_DN_Email [EMAIL PROTECTED] SSL_CLIENT_S_DN_O XXX Limited London SSL_CLIENT_S_DN_OU Director SSL_CLIENT_S_DN_ST 20011211 110118 SSL_CLIENT_V_END Dec 11 11:02:06 2006 GMT SSL_CLIENT_V_START Dec 11 11:02:06 2001 GMT SSL_CLIENT_VERIFY SUCCESS The CLIENT_I vars contain details of the certificate issuer. The CLIENT_S vars contain details of the client. Basically the entire contents of the certificate are available to any server that you present this certificate to. In many browsers, you can control which certificate if any is presented to the server, the details are not automatically presented, unless this is how you configure your browser. In my experience with NS4.0-NS4.7x and MS IE5.01-6.0, they do NOT automatically present a cert, unless you change the default settings / internet options. The certificate details are not passed un-encrypted over the internet - they are passed to the server securely inside the SSL pipe, so details are not disclosed to network sniffers. Of course the web-server can do whatever it likes with the details, as it is one of the two trusted parties in the conversation. Regards Jeff -----Original Message----- From: [EMAIL PROTECTED] [mailto:[EMAIL PROTECTED]] On Behalf Of Ben Elliston Sent: 10 May 2002 04:31 To: [EMAIL PROTECTED] Cc: [EMAIL PROTECTED] Subject: client certificate disclosures I have a client certificate that was issued to me by a CA that contains potentially sensitive information such as my name, my position within my organisation, my location, and so on. This certificate has been imported into my browser (Netscape). What are the rules in the SSL protocol regarding the disclosure of client certs to any HTTPS server I might connect to? Since the certs are signed and not encrypted, if SSL sends some or all of these certs to a foreign HTTPS server, won't my X.509 credentials be disclosed to the foreign server? I am hoping I have a fundamental misunderstanding here .. Thanks, Ben ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED] ______________________________________________________________________ Apache Interface to OpenSSL (mod_ssl) www.modssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
