Subject: | |
From: | |
Reply To: | |
Date: | Tue, 2 Oct 2001 11:37:14 -0400 |
Content-Type: | text/plain |
Parts/Attachments: |
|
|
Steve Dirickson (Volt) wrote
> That isn't quite how it works. Use of server or client certificates is
> optional; even if used, they have nothing to do with securing the data
> exchanged--certificates are used only to authenticate that the other end
> is really who it claims to be.
The use of server certificates is optional in SSL/TLS, but I think that all
the browsers require them as policy. I haven't been able to verify that,
though.
When a server certificate is used--which, in practice, it always is--then
the key in the certificate is used instead of the ServerKeyExchange.
Because the certificates can be verified from out-of-band data, they protect
against active man-in-the-middle attacks. Non-certificate key exchanges
only protect against passive eavesdroppers.
* To join/leave the list, search archives, change list settings, *
* etc., please visit http://raven.utc.edu/archives/hp3000-l.html *
|
|
|