Re: Certificates and SSL Authentication

Wed, 26 May 2004 16:35:46 -0700

Thanks for your help but my question wasn't answered. I understand certificate chains - I even created some long ones. My question is about SSL specifically. The way I understand the SSL handshake, the server only sends a certificate to the client - there is no provision to send a certificate chain. This means that if the client only trusts the root certificate (a reasonable assumption) and the root does not directly sign the server certificate (eg there are intermediate certificates in the chain) then the client cannot authenticate the server.

This is what I understand from reading the specs, but common sense tells me that there must be some way for the client to retrieve those intermediate certificates so that the server is authenticated. My belief is supported by what I've seen in the real world - real sites that have a certificate chain 3 certificates long that get authenticated by my browser. From what I see, the middle certificate is not known beforehand to my browser, so my question is how does this work?

Thanks for any help,

Sander

At 03:25 PM 5/26/2004 -0700, you wrote:
See "Certificate Chains" in http://java.sun.com/j2se/1.4.2/docs/tooldocs/windows/keytool.html#Certificates.

Sander Smith wrote:
I'm a bit confused concerning SSL certificates, and hope someone can shed some light. In reading through the SSL spec concerning the SSL handshake, it appears to me that the certificate that authenticates my server must be signed by a certificate that is known to the client's browser. This would preclude the following scenario:
(Root Certificate) => (Intermediate Cert1) => (Intermediate Cert2) => www.mysite.com
Where (Root Certificate) is known to the client but the intermediate certificates are not. My certificate <SHOULD> be considered to be okay since it is traceable back to a trusted certificate, but the SSL handshake seems to say that this is not the case.
However, in looking at some real sites that have real certificates, I see the opposite happening. In particular I see the folowing:
Verisign => (Intermediate) => www.somesite.com
Where Verisign is known to my browser, but the intermediate certificate is not. It is of the fom:
www.verisign.com/CPS Incorp.by Ref. ... (some ofther stuff)
What is going on here? Is there a way for the the browser to get a copy of the intermediate certificate if it isn't already known to it as a trusted certificate?
Sander Smith


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]


---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]




---------------------------------------------------------------------
To unsubscribe, e-mail: [EMAIL PROTECTED]
For additional commands, e-mail: [EMAIL PROTECTED]

Reply via email to