Hi Doug,
When I connect to my host I login and get a popup from FileZilla asking
if I will accept a DC. I respond yes and I'm in. Why am I sending out
the DC to the remote client?
You aren't sending the local CA cert to the client for YOUR protection.
You're sending it to the client for THE CLIENT'S protection.
The idea is that they can use this CA cert to verify that the server is
really you. If you didn't do that, it could be someone impersonating
you (a man in the middle attack, or phishing, or something like that).
Remember, SSL was originally designed to let retailers sell stuff using
a credit card over the web. The goal is to let the consumer know that
they're really sending the credit card number to the right place. If I
set up a web site named 'WalmartOutlet.com' and told everyone that I was
Wal-Mart, then they might trust me and send me their credit card
numbers. That would be gr8t, cuz I could buy l0tz of n33t stuff.
One problem: My SSL certificate wouldn't match the CA certificate
installed in the client's web browser. That would tell the client that
I'm not to be trusted. Oh well, I guess I'll have to work for a living...
That's the point of the CA certificate: To verify that the server
REALLY IS who the server claims to be. That's the reason you want to
install your local CA into your client's system -- so the client can be
confident that they're FTPing the files to YOU, and not someone else.
If you'd like to ALSO verify who the client is, then you need to
implement client certificates. This is not implemented by default in
SSL (because, again, SSL was created for retailers... Wal-Mart will
sell to anyone. They don't want/need to have to distribute client
certificates to every potential customer!). However, SSL does have
this option, it just has to be set up, and additional certificates need
to be generated and distributed.
midrange.com
