> To clarify, they can pretend to be a valid server, because *anyone* signed by > Verisign is a valid server.
> To go one step further, they can have verisign sign a CA, and then use that > CA to create *any* certificate they want, > including one which pretends to be your server. Most users won't bother > reading the entire certificate chain. > They'll just see "mit.edu" (or >whatever) and click "OK". Ahh , I see what you mean. Thank you for the clarification. The masses of undereducated and/or apathetic users out there are the biggest challenges facing IT pros. Thanks again. Jake Sallee Godfather Of Bandwidth Network Engineer Fone: 254-295-4658 Phax: 254-295-4221 -----Original Message----- From: freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org [mailto:freeradius-users-bounces+jake.sallee=umhb....@lists.freeradius.org] On Behalf Of Alan DeKok Sent: Thursday, January 20, 2011 1:48 PM To: FreeRadius users mailing list Subject: Re: Generating a Microsoft compatible CSR for FreeRADIUS Sallee, Stephen (Jake) wrote: > Hmmm. I hadn't thought of that attack vector, kind of like a > man-in-the-middle attack, but isn't that what the private key is for, to > prevent just that? To clarify, they can pretend to be a valid server, because *anyone* signed by Verisign is a valid server. To go one step further, they can have verisign sign a CA, and then use that CA to create *any* certificate they want, including one which pretends to be your server. Most users won't bother reading the entire certificate chain. They'll just see "mit.edu" (or whatever) and click "OK". Alan DeKok. - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html - List info/subscribe/unsubscribe? See http://www.freeradius.org/list/users.html