[Openswan Users] How to check the host identity ?

david ngc1976.m42 at caramail.com
Thu May 19 11:05:37 CEST 2005


 
 When you generate a certificate, you do it as follows:

 1) You create a new random private key and public key.

 2) You generate a certificate request that includes the public key.

 3) You sign the certificate request with the private key (to prove that you
know it)

 4) You send the certificate request to a certificate authority.

 5) The certificate authority verifies the name you claim in the certificate
request to make sure it belongs to you. They verify that the request was
signed with the private key corresponding to the public key in the
certificate.

 6) The certificate authority issues a certificate that says that your name
is associated with your public key. They sign it with their private key.

The certificate is generally considered public information. All it does is
convey the true fact that the certification authority has established that
the name in the certificate is the name of the holder of the private key
that corresponds to the public key in it.


So my questions are :

After having signed the user certificate request, the CA send this user certificate to the supposed user. How the CA is sur to send this certificate to the good person ?
Is the all communication (steps 4 to 6 + sending to the user) encrypted in SSL ?     
Is there a challenge used to prove the identity of the user ?
when does ipsec (IKE) do this challenge (if there is)? 
Is it done in every case ?

thx
david




> This is an inherent flaw with certificates. The only way to be certain, is
> to have the corresponding private key password encrypted with a symmetric
> cipher (3DES,AES). This proves (to some extent) the person with the
> certificate is authorized to use the certificate. This clearly demonstrates
> the need to have private keys encrypted with a strong cipher / strong
> password combo.
> 
> -----Original Message-----
> From: users-bounces at openswan.org [mailto:users-bounces at openswan.org] On
> Behalf Of david
> Sent: Wednesday, May 18, 2005 5:27 AM
> To: users at openswan.org
> Subject: [Openswan Users] How to check the host identity ?
> 
> Hi all,

> I am testing a VPN using certificates.

> Server ======== User

> The server and the user have a certificate. The server accepts all
> connection if it knows CA which signed the certificate of the user.

> How to check that the User is really the party the certificate was issued to
> ? (and not someone who has intercepted the certificate)

> thx

> david

Protek-on: CaraMail met en oeuvre un nouveau Concept de Sécurité Globale - www.caramail.com


More information about the Users mailing list