Sallee, Stephen (Jake) wrote: > Hmmm. I hadn't thought of that attack vector, kind of like a > man-in-the-middle attack, but isn't that what the private key is for, to > prevent just that?
To clarify, they can pretend to be a valid server, because *anyone* signed by Verisign is a valid server. To go one step further, they can have verisign sign a CA, and then use that CA to create *any* certificate they want, including one which pretends to be your server. Most users won't bother reading the entire certificate chain. They'll just see "mit.edu" (or whatever) and click "OK". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html
