From: TAM (auha84@dsl.pipex.com)
Date: Fri Apr 13 2007 - 17:34:44 ART
I'll have a go at this, though after a few(...) beers things are
starting to get hazy.
Say Peer C gets the certificate, all it contains is PeerB's public key
and the signature of the CA. That's fine for initiating communications
with whomever Peer C wants, but what happens when Peer A (or any peer
that Peer C attempts to communicate with) replies to Peer C? Peer
A/other will encrypt it's reply with Peer C's (really B's) Public key,
so the only node that can DEcrypt it is the owner of the B's Private key
- namely B, and not Peer C. So Peer C may see data coming back from
Peer A but it will be unable to decipher it.
I'm sure someone can explain it a little better than this (and highlight
the downside to writing emails while a little tipsy..)
Thanks,
TAM
Edward Norton wrote:
> Folks ;
> I have spent some time reading and testing the point of using digital certificate as a way of origin authentication with VPN peers , there is a question with bothers my theory understanding which is as follows
>
> if peerA wants to check that peerB is actually peerB , he would request the digital certificate of peerB (which contains peerB Public key and the signature of the CA ) ...on peerA there are two ceritificates , his own identity certificate and the certificate of the CA (which contains the public key of the CA and will validate the signature of peerB certificate )
>
> all that is ok , now the question is ..since peerB sends out his digital certificate to anyone who request to authenticate with him..why not someone (peerC) gets this certificate ..install it and act as if he is peerB ??
>
>
> i am sure i must be missing something here ...can someone explain this
>
> thanks
>
>
>
>
>
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART