[OpenVPN home] [Date Prev] [Date Index] [Date Next]
[OpenVPN mailing lists] [Thread Prev] [Thread Index] [Thread Next]
Web openvpn.net

Re: [Openvpn-users] I don't get it: why use a certificate?

  • Subject: Re: [Openvpn-users] I don't get it: why use a certificate?
  • From: "lim diemar" <diemar2006@xxxxxxxxx>
  • Date: Mon, 25 Jun 2007 12:27:36 +0800

The PRACHASE for certification is encrypted key

2007/6/25, Todd and Margo Chester <ToddAndMargo@xxxxxxxxxxx>:

> I'm no expert, but it seems to me that the certificate you get from the
> other end when you establish a link can be verified as coming from the
> CA for which you have a CA certificate, thus preventing Man In The
> Middle attacks: the key the Man In The Middle sends you won't be
> verified by the same CA.

Hi Mark,

   I don't understand.  The key method uses the same 2048 bit
key at both ends.  Is it even possible to do a Man-in-the-middle

>> For instance, if a laptop gets stolen,
>> don't the bad guys have everything they
>> need to use the tunnel regardless if
>> you are using a certificate or a key?
> I agree - No help at all in this scenario. You need to use the
> auth-user-pass facility to get a username/password from the _user_ to
> verify that the user is legit once the _machine_ has been authenticated
> using the certificates.

I have another post out there trying to figure out what
"auth-user-pass" is.

The key method does not use a password.  Can the certificate
method be configured to prompt for a password?  This would
seems to go a long way to protect the server from an
undiscovered compromised remote unit.


This SF.net email is sponsored by DB2 Express
Download DB2 Express C - the FREE version of DB2 express and take
control of your XML. No limits. Just data. Click to get it now.
Openvpn-users mailing list

Carelessness would lead you to irretrievable errors.