| Wojtek 2007-04-25, 7:08 pm |
| Lew wrote :
> zhouqiang94@gmail.com wrote :
>
> Lew wrote :
>
> Wojtek wrote:
>
> How does sending a certificate give you access to my computer?
Who is sending the certificate?
If the server sends one to the client, then it is the client which
deterimes if it is valid. So a browser must authenticate the
certificate, usually by contacting the certificate authority which
issued the certificate, and having that authority validate the
certificate. Or having local storage. Which is why everyone needed to
update their certificate files a few years ago, as the certificates
were about to expire.
If the client sends a certificate to the server, then how did the
client get that certificate? If it was sent to the client by the server
during a previous login, then I can steal that certificate and now I am
you (unless you embed some machine characteristics in the certificate).
Note: I am NOT an expert on this subject, I simply know enough to be
 (and sometimes confusing). I am willing to learn more if
anyone else cares to step in?
--
Wojtek :-)
|