From: M. Mohan (mmsundar@yahoo.com)
Date: Fri Apr 13 2007 - 21:11:32 ART
Edward,
Authentication is NOT complete unless both the peers
are able to encrypt and decrypt a "piece-of-data"
using the public-private key pairs.
OK, peer C can say I am B, but A will have to
challenge that by encrypting a piece-of-data to make
sure that C indeed has the private key of the
corresponding public key that was in the certificate.
Unbtil then, it does not believe that B is indeed B.
As far as I know, Digital Certificate simply answers
one question. Does this public key belong to this
entity? yes or no. This is answered by CA, who A
trusts. Without CA, anyone can genereate a cert and
present it to the other peer, but based on what the
other peer will trust this cert. That is why we have
CA.
Can anyone answer in a better way?
Thank you,
Mohan
--- Edward Norton <doubleccie@yahoo.com> wrote:
> Ok folks ..i have read whatever posted so far about
> my question..all are about the private key portion
> which is hidden with peerB ..I know that peerC
> cannot go anywhere with "emulating " peerB
> certificate since he does not have the private key
> of peer B...that is all ok and understandable ..but
> why on earth we need to do all this certificate
> stuff if peerB can just send out his public key
> (which is public anyway ) and depend on his own
> private key that none can know about it ?
>
>
> ok in other words ..the whole point of certificate
> is origin authentication (peerA needs to check that
> peerB is actually peerB ) ..it is not about
> decrytping whatever peerB sends because this is a
> stage will come after origin authentication
>
>
> in similarity to pre-shared keys ..digital
> certificate is similar to someone who come to know
> your preshared key which is used to authenticate the
> origin (not decrypt his messages) ....in similar
> fashion ..is not just getting the certificate of
> this origin is simply as if knowing his preshared
> key ??
>
> thanks :)
>
>
> TAM <auha84@dsl.pipex.com> wrote:
>
> I'll have a go at this, though after a few(...)
> beers things are
> starting to get hazy.
>
> Say Peer C gets the certificate, all it contains is
> PeerB's public key
> and the signature of the CA. That's fine for
> initiating communications
> with whomever Peer C wants, but what happens when
> Peer A (or any peer
> that Peer C attempts to communicate with) replies to
> Peer C? Peer
> A/other will encrypt it's reply with Peer C's
> (really B's) Public key,
> so the only node that can DEcrypt it is the owner of
> the B's Private key
> - namely B, and not Peer C. So Peer C may see data
> coming back from
> Peer A but it will be unable to decipher it.
>
> I'm sure someone can explain it a little better than
> this (and highlight
> the downside to writing emails while a little
> tipsy..)
>
> Thanks,
>
> TAM
>
>
> Edward Norton wrote:
> > Folks ;
> > I have spent some time reading and testing the
> point of using digital certificate as a way of
> origin authentication with VPN peers , there is a
> question with bothers my theory understanding which
> is as follows
> >
> > if peerA wants to check that peerB is actually
> peerB , he would request the digital certificate of
> peerB (which contains peerB Public key and the
> signature of the CA ) ...on peerA there are two
> ceritificates , his own identity certificate and the
> certificate of the CA (which contains the public key
> of the CA and will validate the signature of peerB
> certificate )
> >
> > all that is ok , now the question is ..since peerB
> sends out his digital certificate to anyone who
> request to authenticate with him..why not someone
> (peerC) gets this certificate ..install it and act
> as if he is peerB ??
> >
> >
> > i am sure i must be missing something here ...can
> someone explain this
> >
> > thanks
> >
> >
> >
> >
> >
> >
> >
> >
> > ---------------------------------
> > Ahhh...imagining that irresistible "new car"
> smell?
> > Check outnew cars at Yahoo! Autos.
> >
> >
>
>
>
> ---------------------------------
> Ahhh...imagining that irresistible "new car" smell?
> Check outnew cars at Yahoo! Autos.
>
>
This archive was generated by hypermail 2.1.4 : Tue May 01 2007 - 08:28:35 ART