Quote:
What are client side certificates for? Just for authentication?
|
Basically yes. The client's certificate just proves to the server that you are who you say you are. Commonly, the server (or some other trusted third party) will sign your client certificate before sending it back to you. Then when you connect to the server, it can check the signature to see if it's valid. I don't know of many large systems that do use client certificates, but I've got my small email server set up so it requests my client certificate if I want to send/receive mail.
In the case you describe of banks distributing certificates to users, they're probably using something like a pkcs12 file, which, as you correctly pointed out must contain both the public and private key (I think it's encrypted with a shared secret key/passphrase). It's then imported into your browser (see for example tools->options->advanced->encryption in firefox, where you can import the pkcs12 file). It's not perfect (since ideally no-one should EVER know your private key), but it's probably better than the crappy passwords most people would use.
Quote:
For mail encoding I should also have the other party certificate (public key) shouldn't I?
|
Yes, you encrypt the message with the the recipients public key, then sign it with your private key. Provided the recipient trusts your public key (e.g. it's signed by a CA or whatever), this works. It's actually more complicated than that, since both a basic "sign then encrypt" or "encrypt then sign" protocol are vulnerable to various attacks. I can't remember off the top of my head what the details are.
Hope this helps.