On Mon, Jul 28, 2008 at 12:34:28PM -0400, Joe Guan wrote:
> I should be more clear -- as a policy, we require all of our clients doing
> the server cert. verification (quite basic, hnh?).
If this is a policy requirement on people, it is sure to be largely
ignored. They learn that in most cases certificate verification errors,
are IT problems, not MITM attacks, so they stop caring, and just accept
the invalid certs.
> > Server cert verification is sufficient for this, the client does not
> > need
> > a client cert for this, so disclosure of any such cert does not break
> > MITM
> > resistance.
>
> To be exact, disclosure of client private key.
Yes, of course.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
