On Apr 13, 2021, at 8:17 PM, Michael Richardson <mcr+i...@sandelman.ca> wrote: > Why did you need the HTTPS server cert? > Did you need the OIDs, and stuff out of it? Why wasn't the realm name enough > to make the imposter cert from the non-authorized CA? > > I'm just trying to understand how the HTTPS cert is involved here.
The HTTPS cert contains a wealth of information which makes it look "real" to the average person. All of that information can be cloned into the imposter cert. So the only differences between the imposter cert and real one are (a) signing CA, and (b) key data that most people don't understand. What any mere mortal looking at the imposter cert will see "Yup, it has the right addresses, phone numbers, names, etc.". For all intents and purposes, it appears to be real. This imposter process worked better years ago when supplicants would show the entire cert to the user. Now, many don't even do that. Some just show a fingerprint in a pop-up dialog, and ask the user "is this OK?". How that's useful to anyone is beyond me. Alan DeKok. _______________________________________________ Emu mailing list Emu@ietf.org https://www.ietf.org/mailman/listinfo/emu