Eric Rescorla wrote: > This isn't a MITM attack, however. Sorry, Eric -- if you don't know or trust the signer, then you only know that the presenter (could be a MITM) has the private key associated with the pubkey in the cert. This means that a MITM attack is entirely possible. Trust in the CA is required to assure the binding of the SubjectPublicKeyInfo to the DN. That's the feature that prevents the MITM attack. There's also the convention among browser implementations that the CN should be the FQHN, which is a PITA for numerous reasons. Of course, your browser presents no warnings whatsoever for certs signed by any number of CAs that are "trusted" simply because their root certs are bundled with the browser. And unless you manually retrieve a CRL, you only know that a cert was valid when it was issued. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
- Re: Kurt Seifred's article on... Ulf Moeller
- Re: Kurt Seifred's article on... Michael T. Babcock
- Re: Kurt Seifred's article on... Sean Wieland
- Re: Kurt Seifred's article on securityportal Jeffrey Burgoyne
- Re: Kurt Seifred's article on securityportal Goetz Babin-Ebell
- Re: Kurt Seifred's article on securityportal Jeff Ritchie
- Re: Kurt Seifred's article on securityportal Douglas Wikström
- Re: Kurt Seifred's article on securityportal Kurt Seifried
- RE: Kurt Seifred's article on securityportal Fabro, Loic
- Re: Kurt Seifred's article on securityportal Eric Rescorla
- Re: Kurt Seifred's article on securityportal Michael Sierchio
- Re: Kurt Seifred's article on securityport... Thomas Nichols
- Re: Kurt Seifred's article on security... Erwann ABALEA
- Re: Kurt Seifred's article on sec... Thomas Nichols
- Re: Kurt Seifred's article on... Erwann ABALEA
- Re: Kurt Seifred's article on... Thomas Nichols
- Re: Kurt Seifred's article on... Erwann ABALEA
- Re: Kurt Seifred's article on... Michael T. Babcock
- Re: Kurt Seifred's article on... Thomas Nichols
- Re: Kurt Seifred's article on securityport... Eric Rescorla
- Re: Kurt Seifred's article on security... Michael Sierchio