Certificate Discovery

Certificate discovery lets a host running SunScreen SKIP retrieve a public (X.509 or UDH) certificate from another SKIP host over a network or serial connection. Certificate discovery is an alternative to direct installation of certificates.

Certificate discovery works as follows:

1. You verify that certificate discovery is enabled on your computer and on the remote host.

2. You obtain the identifier and name space of the certificate you want to discover from a remote user by means of a channel that lets you authenticate the other user's identity. For example, you might call a user with whom you want to send encrypted traffic to exchange certificate identifiers and name spaces, relying on recognition of the other user's voice to authenticate the user's identity.

3. You enter the identifier of the remote certificate in skiptool.

4. Your computer sends a Certificate Discovery Protocol request to the remote computer in clear text on UDP port 1640, asking for a specific certificate using the designated name space. The remote computer sends back the requested information in clear text on UDP port 1641.

5. SunScreen SKIP validates the certificate. For signed certificates, SunScreen SKIP uses the Certifying Authority's public key to decrypt the certificate digest, creates its own MD5 digest of the public certificate, and compares the result. For unsigned certificates, SunScreen SKIP creates an MD5 hash of the certificate's public key and compares it to the certificate's name.

6. SunScreen SKIP adds the certificate for the remote host to its certificate database.

7. SunScreen SKIP uses the public key information contained in the remote host's certificate to generate a unique shared secret.