From: Edward Norton (doubleccie@yahoo.com)
Date: Fri Apr 13 2007 - 18:30:56 ART
Ok folks ..i have read whatever posted so far about my question..all are about the private key portion which is hidden with peerB ..I know that peerC cannot go anywhere with "emulating " peerB certificate since he does not have the private key of peer B...that is all ok and understandable ..but why on earth we need to do all this certificate stuff if peerB can just send out his public key (which is public anyway ) and depend on his own private key that none can know about it ?
ok in other words ..the whole point of certificate is origin authentication (peerA needs to check that peerB is actually peerB ) ..it is not about decrytping whatever peerB sends because this is a stage will come after origin authentication
in similarity to pre-shared keys ..digital certificate is similar to someone who come to know your preshared key which is used to authenticate the origin (not decrypt his messages) ....in similar fashion ..is not just getting the certificate of this origin is simply as if knowing his preshared key ??
thanks :)
TAM <auha84@dsl.pipex.com> wrote:
I'll have a go at this, though after a few(...) beers things are
starting to get hazy.
Say Peer C gets the certificate, all it contains is PeerB's public key
and the signature of the CA. That's fine for initiating communications
with whomever Peer C wants, but what happens when Peer A (or any peer
that Peer C attempts to communicate with) replies to Peer C? Peer
A/other will encrypt it's reply with Peer C's (really B's) Public key,
so the only node that can DEcrypt it is the owner of the B's Private key
- namely B, and not Peer C. So Peer C may see data coming back from
Peer A but it will be unable to decipher it.
I'm sure someone can explain it a little better than this (and highlight
the downside to writing emails while a little tipsy..)
Thanks,
TAM
Edward Norton wrote:
> Folks ;
> I have spent some time reading and testing the point of using digital certificate as a way of origin authentication with VPN peers , there is a question with bothers my theory understanding which is as follows
>
> if peerA wants to check that peerB is actually peerB , he would request the digital certificate of peerB (which contains peerB Public key and the signature of the CA ) ...on peerA there are two ceritificates , his own identity certificate and the certificate of the CA (which contains the public key of the CA and will validate the signature of peerB certificate )
>
> all that is ok , now the question is ..since peerB sends out his digital certificate to anyone who request to authenticate with him..why not someone (peerC) gets this certificate ..install it and act as if he is peerB ??
>
>
> i am sure i must be missing something here ...can someone explain this
>
> thanks
>
>
>
>
>
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
>
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART