Re: Free CA

Tue, 13 Jun 2000 04:19:19 -0700 

Richard Levitte - VMS Whacker wrote:
> 
> 
> Oh, what a beautiful mixup I did there between server and client
> certs!  Even got myself confused :-).  However, the fact still
> remains, there's no trust path of value to me, the value of certer
> certs in themselves is more or less none, except to give the server
> and my browser a chance to start an encrypted session, which is
> probably fine for most people.  And from that point of view you're
> absolutely right, the warning about an unknown CA is just an
> annoyance.  But hey, it would be possible for someone to get a
> perfectly legal CA cert signed by, Thawte, and then use it to sign a
> cert presumably for, oh say, Amazon, and thereby fool a whole bunch of
> people.  And in that case, a *silent* browser is a bit more scary to
> me.  Setting up a secure channel is nice enough, but authentication is
> a different matter, and depending on your level of paranoia, quite a
> difficult one at that.
> 
> People just don't have that clue yet...  Or maybe I'm just overly
> paranoid...
> 

Paranoia is essential for crypto work :-)

I reckon this kind of issue is likely to become more important as more
CAs get added to browsers.

A corrupt CA or one which can be forcibly persuaded (e.g. by government
security agencies) to issue bogus certificates can reak havoc with
typical browser or S/MIME client behaviour. 

For example if some country wants to monitor all traffic to a certain
secure site it issues a bogus certificate from its trusted CA and then
performs a man in the middle attack on its gateways.

S/MIME can be handled because many pieces of software will silently
replace a certificate with a new one. So sending a signed message with
the fake ID to the 'victim' allows all traffic from then on to be read.

Steve.
-- 
Dr Stephen N. Henson.   http://www.drh-consultancy.demon.co.uk/
Personal Email: [EMAIL PROTECTED] 
Senior crypto engineer, Celo Communications: http://www.celocom.com/
Core developer of the   OpenSSL project: http://www.openssl.org/
Business Email: [EMAIL PROTECTED] PGP key: via homepage.

______________________________________________________________________
OpenSSL Project                                 http://www.openssl.org
User Support Mailing List                    [EMAIL PROTECTED]
Automated List Manager                           [EMAIL PROTECTED]

Reply via email to