On Wed, Sep 26, 2007 at 03:58:08PM -0700, David Schwartz wrote: > I am not enough of an expert to comment for sure on this, but it seems that > there would be no harm in using the certificate for this purpose. A MITM > cannot create an SSL session that uses the same certificate as the real > server because that would mean the MITM would have to know the same private > key the real server is using.
> > David's proposal very likely works for him, but IMHO is bad advice, > > because the sophistication required to execute it correctly is too high. > > Do you know any other good way to get MITM detection other than a > certificate issued by a trusted CA? For some applications, that's just not > what you want. Use a self-signed cert and and a trusted source of peer<->cert or cert fingerprint mappings. The public CA is just one mapping function. -- Viktor. ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager [EMAIL PROTECTED]