From: Lay, Rob (Robert.Lay@Honeywell.com)
Date: Fri Apr 13 2007 - 19:14:01 ART
Hi Guys,
Doesn't it have something to do with multiple signatures in the cert??
1 signature from the CA (who we all trust!)
And 1 signature from Peer B using his private key - ie so only he could
be able to sign it.
I think they have a time stamp element too which would reduce the risk
of someone using a previously signed cert since it would age out??
Not sure, just my 2c
Cheers
Rob
-----Original Message-----
From: nobody@groupstudy.com [mailto:nobody@groupstudy.com] On Behalf Of
Edward Norton
Sent: 13 April 2007 22:31
To: TAM
Cc: ccielab@groupstudy.com; security@groupstudy.com
Subject: Re: digital certificate question
Ok folks ..i have read whatever posted so far about my question..all are
about the private key portion which is hidden with peerB ..I know that
peerC cannot go anywhere with "emulating " peerB certificate since he
does not have the private key of peer B...that is all ok and
understandable ..but why on earth we need to do all this certificate
stuff if peerB can just send out his public key (which is public anyway
) and depend on his own private key that none can know about it ?
ok in other words ..the whole point of certificate is origin
authentication (peerA needs to check that peerB is actually peerB ) ..it
is not about decrytping whatever peerB sends because this is a stage
will come after origin authentication
in similarity to pre-shared keys ..digital certificate is similar to
someone who come to know your preshared key which is used to
authenticate the origin (not decrypt his messages) ....in similar
fashion ..is not just getting the certificate of this origin is simply
as if knowing his preshared key ??
thanks :)
TAM <auha84@dsl.pipex.com> wrote:
I'll have a go at this, though after a few(...) beers things are
starting to get hazy.
Say Peer C gets the certificate, all it contains is PeerB's public key
and the signature of the CA. That's fine for initiating communications
with whomever Peer C wants, but what happens when Peer A (or any peer
that Peer C attempts to communicate with) replies to Peer C? Peer
A/other will encrypt it's reply with Peer C's (really B's) Public key,
so the only node that can DEcrypt it is the owner of the B's Private key
- namely B, and not Peer C. So Peer C may see data coming back from
Peer A but it will be unable to decipher it.
I'm sure someone can explain it a little better than this (and highlight
the downside to writing emails while a little tipsy..)
Thanks,
TAM
Edward Norton wrote:
> Folks ;
> I have spent some time reading and testing the point of using digital
certificate as a way of origin authentication with VPN peers , there is
a question with bothers my theory understanding which is as follows
>
> if peerA wants to check that peerB is actually peerB , he would
request the digital certificate of peerB (which contains peerB Public
key and the signature of the CA ) ...on peerA there are two
ceritificates , his own identity certificate and the certificate of the
CA (which contains the public key of the CA and will validate the
signature of peerB certificate )
>
> all that is ok , now the question is ..since peerB sends out his
digital certificate to anyone who request to authenticate with him..why
not someone (peerC) gets this certificate ..install it and act as if he
is peerB ??
>
>
> i am sure i must be missing something here ...can someone explain this
>
> thanks
>
>
>
>
>
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
>
---------------------------------
Ahhh...imagining that irresistible "new car" smell?
Check outnew cars at Yahoo! Autos.
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART