On Monday, January 28, 2002 17:32 [EMAIL PROTECTED] wrote: > Phrack #57 - Hang on, Snoopy (by stealth) > http://www.phrack.org/show.php?p=57&a=13 > Here in lies the answer to your question.
It should be noted that this article *only applies* to CAs that are unknown to the browser and is focused primarily on server certs used for SSL. With respect to client-side certs, the web server will only trust certs issued by a known, valid CA. In most applications, servers only trust certs issued by a particular CA (perhaps a local CA) and not the universe of possible commercial CA's that are available by default in the web server (since commercial CAs typically have pretty week auth criteria - Verisign, for example lets you get one for "test purposes" using just your email address.) So, using a spurious CA that you control is (usually) out of the question. If you can get a *trusted* CA to issue you a cert with a CN that you can control (this is not always easy to do,) the only way you can impersonate is if the application uses custom-written software that checks only the CN and not any other information on the cert. This is not a common practice for exactly the reason that is being discussed. Many times the SN is used, which is unique per CA. Some resources regarding mapping a cert to a user in particular environments: Microsoft has an article on how this is set up w/ IIS. Check out: http://www.microsoft.com/windows2000/techinfo/planning/security/mappingcerts.asp IBM has a similar article for websphere: http://www-4.ibm.com/software/webservers/appserv/doc/v35/ae/infocenter/was/050505.html Note that in both cases, doing a mapping based on CN where *more than one CA is trusted* and/or *uniqueness of CN is not enforced* is incredibly dangerous and hence is typicaly avoided... At the very least, DN should be used. Just my $.02... -E ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
