Mon Feb 3 10:00:59 2003
Standard preamble:
======================================================================
\\$1
.. ..
.... Set up some character translations and predefined strings. \*(-- will
give an unbreakable dash, \*(PI will give pi, \*(L" will give a left
double quote, and \*(R" will give a right double quote. | will give a
real vertical bar. \*(C+ will give a nicer C++. Capital omega is used
to do unbreakable dashes and therefore won't be available. \*(C` and
\*(C' expand to `' in nroff, nothing in troff, for use with C<>
.tr \(*W-|\(bv\*(Tr . ds -- \(*W- . ds PI pi . if (\n(.H=4u)&(1m=24u) .ds -- \(*W\h'-12u'\(*W\h'-12u'-\" diablo 10 pitch . if (\n(.H=4u)&(1m=20u) .ds -- \(*W\h'-12u'\(*W\h'-8u'-\" diablo 12 pitch . ds L" "" . ds R" "" . ds C` "" . ds C' "" 'br\} . ds -- \|\(em\| . ds PI \(*p . ds L" `` . ds R" '' 'br\}
If the F register is turned on, we'll generate index entries on stderr
for titles (.TH), headers (.SH), subsections (.Sh), items (.Ip), and
index entries marked with X<> in POD. Of course, you'll have to process
the output yourself in some meaningful fashion.
. de IX . tm Index:\\$1\t\\n%\t"\\$2" .. . nr % 0 . rr F .\}
For nroff, turn off justification. Always turn off hyphenation; it
makes way too many mistakes in technical documents.
Accent mark definitions (@(#)ms.acc 1.5 88/02/08 SMI; from UCB 4.2).
Fear. Run. Save yourself. No user-serviceable parts.
.bd B 3 . \" fudge factors for nroff and troff . ds #H 0 . ds #V .8m . ds #F .3m . ds #[ \f1 . ds #] .\} . ds #H ((1u-(\\\\n(.fu%2u))*.13m) . ds #V .6m . ds #F 0 . ds #[ \& . ds #] \& .\} . \" simple accents for nroff and troff . ds ' \& . ds ` \& . ds ^ \& . ds , \& . ds ~ ~ . ds / .\} . ds ' \\k:\h'-(\\n(.wu*8/10-\*(#H)'\'\h"|\\n:u" . ds ` \\k:\h'-(\\n(.wu*8/10-\*(#H)'\`\h'|\\n:u' . ds ^ \\k:\h'-(\\n(.wu*10/11-\*(#H)'^\h'|\\n:u' . ds , \\k:\h'-(\\n(.wu*8/10)',\h'|\\n:u' . ds ~ \\k:\h'-(\\n(.wu-\*(#H-.1m)'~\h'|\\n:u' . ds / \\k:\h'-(\\n(.wu*8/10-\*(#H)'\z\(sl\h'|\\n:u' .\} . \" troff and (daisy-wheel) nroff accents . \" corrections for vroff . \" for low resolution devices (crt and lpr) \{\ . ds : e . ds 8 ss . ds o a . ds d- d\h'-1'\(ga . ds D- D\h'-1'\(hy . ds th \o'bp' . ds Th \o'LP' . ds ae ae . ds Ae AE .\} ======================================================================
Title "SPKAC 1"
.Vb 1 openssl spkac -in spkac.cnf .Ve Verify the signature of an \s-1SPKAC:\s0
.Vb 1 openssl spkac -in spkac.cnf -noout -verify .Ve Create an \s-1SPKAC\s0 using the challenge string \*(L"hello\*(R":
.Vb 1 openssl spkac -key key.pem -challenge hello -out spkac.cnf .Ve Example of an \s-1SPKAC\s0, (long lines split up for clarity):
.Vb 5 SPKAC=MIG5MGUwXDANBgkqhkiG9w0BAQEFAANLADBIAkEA1cCoq2Wa3Ixs47uI7F\e PVwHVIPDx5yso105Y6zpozam135a8R0CpoRvkkigIyXfcCjiVi5oWk+6FfPaD03u\e PFoQIDAQABFgVoZWxsbzANBgkqhkiG9w0BAQQFAANBAFpQtY/FojdwkJh1bEIYuc\e 2EeM2KHTWPEepWYeawvHD0gQ3DngSC75YCWnnDdq+NQ3F+X4deMx9AaEglZtULwV\e 4= .Ve
SPKACs are typically generated by Netscape when a form is submitted containing the \s-1KEYGEN\s0 tag as part of the certificate enrollment process.
The challenge string permits a primitive form of proof of possession of private key. By checking the \s-1SPKAC\s0 signature and a random challenge string some guarantee is given that the user knows the private key corresponding to the public key being certified. This is important in some applications. Without this it is possible for a previous \s-1SPKAC\s0 to be used in a \*(L"replay attack\*(R".