|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |
Date: Fri, 20 Dec 1996 18:14:40 -0800 (PST) From: "David W. Morris" <dwm@xpasc.com> To: si10875@ci.uminho.pt cc: www-security@ns2.rutgers.edu In-Reply-To: <9612201129.AA05817@caeiro.ci.uminho.pt> Errors-To: owner-www-security@ns2.rutgers.edu On Fri, 20 Dec 1996 si10875@ci.uminho.pt wrote: > I have a doubt about client authentication using certificates. > Suppose I have a perfectly valid certificate, say passed by Thawte, > if I lend this certificate to a friend of mine, can he access a secure server > where I had permission to enter, even though he is on another IP address > and using another email address? I would expect he could ... if you lend your car keys to your friend, would you expect him to be able to drive the car? But then I haven't studied the SSL specification re. this question but I think you would be quite upset if you had to get a new certificate each time you dialed your ISP who dynamically assigns IP addresses or on a LAN each time your DHCP server assigns a new IP address to your desk top system, etc. > As you migth have noticed, may doubt is if secure servers do any > run time verification of the information on the certificate. Run time verification is based on public keys and chains of certificate authorities and their public keys, not on extraneous and unstable identity information like IP addresses, email addresses, etc. Dave Morris
|
|
|
|
|
|
|
|
|
|
|
|
| home | help | back | first | fref | pref | prev | next | nref | lref | last | post |