Re: [ssl-users] Client based trust of servers

Sun, 24 May 1998 14:07:36 -0400 

I don't recommend this practice. It reduces the certificate to an 
unauthenticated container of the public key and as such 
constitutes poor security practice; it is both misleading,
and places an undue burden on users to understand the
security implications of such a choice.

That said, the answer to the technical portions of the
question are:

The standard serialization format for certificates is DER.
It comes over the wire that way.  The SSLeay package has
APIs to deal with encoding and decoding from this format.
See in particular the i2d_X509 and d2i_X509 routines.
Also see the ASN1_i2d_fp and ASN1_i2d_bio routines for
combining these with file and buffered BIO.  [crypto/asn1]

--a.



Christian Starkjohann wrote:
> 
> Hi,
> I want to do the following (not with HTTP, but HTTP is a good example): When
> a server presents a certificate and the client does not know the CA, it
> should nevertheless be possible to trust this site. The client should store
> the site's public key and name in a "trusted servers" database.
> 
> This is how ssh does server authentication.
> 
> Is there a simple way to implement this? There are functions in the X509
> library to extract the public key and the subject's name from the
> certificate, but I have found no functions to serialize them to a file or
> load them from a file. Have I missed something?
> 
> --
> Christian Starkjohann
> mail: <cs -AT- obdev.at> or <cs -AT- hal.kph.tuwien.ac.at>
> web:  http://www.obdev.at/
> +-------------------------------------------------------------------------+
> | Administrative requests should be sent to [EMAIL PROTECTED] |
> | List service provided by Open Software Associates, http://www.osa.com/  |
> +-------------------------------------------------------------------------+

-- 
Anil R. Gangolli
Structured Arts Computing Corp.
http://www.StructuredArts.com
mailto:[EMAIL PROTECTED]
+-------------------------------------------------------------------------+
| Administrative requests should be sent to [EMAIL PROTECTED] |
| List service provided by Open Software Associates, http://www.osa.com/  |
+-------------------------------------------------------------------------+

Reply via email to