Hal Merritt wrote:
That was then. This is now. The target continues to move. Plan on client
certificates if you are subject to privacy regulations.
The reason I was given is that server only authentication is vulnerable
to a 'man in the middle' attack vector.
HTH and good luck.
Client certificates allow the server to authenticate the client. The use
of client certificates has no bearing whatsoever on the prevention of
man-in-the-middle attacks.
To prevent this kind of attack with a mainframe emulation, you need to
make sure that your client (such as IBM PCOMM):
1. only recognizes trusted Certification Authorities (like Verisign or
your own company CA) for server certificates.
2. has the option selected to verify the hostname. In this case, the cn=
attribute in the subject's name in the server certificate must be
identical to the hostname. Alternatively, the altName= attribute can be
used in the certificate to specify the hostname.
IBM PCOMM does not accept self-signed server certificates. This is
helpful in preventing MITM attacks.
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
