From: Cacca Mucca (caccamucca@gmail.com)
Date: Fri Apr 13 2007 - 19:40:11 ART
"why on earth we need to do all this certificate stuff if peerB can just
send out his public key (which is public anyway ) and depend on his own
private key that none can know about it ?"
Mathematicians exists for a reason and they've come up with formulas and
algorithms that make all this work like magic.
On 4/13/07, Edward Norton <doubleccie@yahoo.com> wrote:
>
> Ok folks ..i have read whatever posted so far about my question..all are
> about the private key portion which is hidden with peerB ..I know that peerC
> cannot go anywhere with "emulating " peerB certificate since he does not
> have the private key of peer B...that is all ok and understandable ..but why
> on earth we need to do all this certificate stuff if peerB can just send out
> his public key (which is public anyway ) and depend on his own private key
> that none can know about it ?
>
>
> ok in other words ..the whole point of certificate is origin
> authentication (peerA needs to check that peerB is actually peerB ) ..it is
> not about decrytping whatever peerB sends because this is a stage will come
> after origin authentication
>
>
> in similarity to pre-shared keys ..digital certificate is similar to
> someone who come to know your preshared key which is used to authenticate
> the origin (not decrypt his messages) ....in similar fashion ..is not just
> getting the certificate of this origin is simply as if knowing his preshared
> key ??
>
> thanks :)
>
>
> TAM <auha84@dsl.pipex.com> wrote:
>
> I'll have a go at this, though after a few(...) beers things are
> starting to get hazy.
>
> Say Peer C gets the certificate, all it contains is PeerB's public key
> and the signature of the CA. That's fine for initiating communications
> with whomever Peer C wants, but what happens when Peer A (or any peer
> that Peer C attempts to communicate with) replies to Peer C? Peer
> A/other will encrypt it's reply with Peer C's (really B's) Public key,
> so the only node that can DEcrypt it is the owner of the B's Private key
> - namely B, and not Peer C. So Peer C may see data coming back from
> Peer A but it will be unable to decipher it.
>
> I'm sure someone can explain it a little better than this (and highlight
> the downside to writing emails while a little tipsy..)
>
> Thanks,
>
> TAM
>
>
> Edward Norton wrote:
> > Folks ;
> > I have spent some time reading and testing the point of using digital
> certificate as a way of origin authentication with VPN peers , there is a
> question with bothers my theory understanding which is as follows
> >
> > if peerA wants to check that peerB is actually peerB , he would request
> the digital certificate of peerB (which contains peerB Public key and the
> signature of the CA ) ...on peerA there are two ceritificates , his own
> identity certificate and the certificate of the CA (which contains the
> public key of the CA and will validate the signature of peerB certificate )
> >
> > all that is ok , now the question is ..since peerB sends out his digital
> certificate to anyone who request to authenticate with him..why not someone
> (peerC) gets this certificate ..install it and act as if he is peerB ??
> >
> >
> > i am sure i must be missing something here ...can someone explain this
> >
> > thanks
> >
> >
> >
> >
> >
> >
> >
> >
> > ---------------------------------
> > Ahhh...imagining that irresistible "new car" smell?
> > Check outnew cars at Yahoo! Autos.
> >
> >
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
> _______________________________________________________________________
> Subscription information may be found at:
> http://www.groupstudy.com/list/CCIELab.html
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART