Re: [jdev] Re: TLS and self-signed certs

2004-11-18 Thread Matthias Wimmer
Hi JD! JD Conley schrieb am 2004-11-12 09:18:46: Not sure ... there are valid reasons to change your s2s certificate: - Key expired - Key has been compromised - Key has been lost Well, if the cert changed you could then verify the key again with a dialback and reset the cache if

[jdev] Re: TLS and self-signed certs

2004-11-18 Thread Neil Stevens
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 18 November 2004 04:38 am, Matthias Wimmer wrote: Having a trusted body like the JSF, that acts as a registry/CA might be a solution and I am looking forward to see Peter's proposal ... the remaining problem might be to verify if

RE: [jdev] Re: TLS and self-signed certs

2004-11-18 Thread JD Conley
-Original Message- From: Matthias Wimmer [mailto:[EMAIL PROTECTED] Hi JD! JD Conley schrieb am 2004-11-12 09:18:46: Not sure ... there are valid reasons to change your s2s certificate: - Key expired - Key has been compromised - Key has been lost Well, if the

Re: [jdev] Re: TLS and self-signed certs

2004-11-18 Thread Jacek Konieczny
On Thu, Nov 18, 2004 at 09:33:05AM -0800, JD Conley wrote: If an attacker attempts to connect and provides a certificate that is not on record for the host they are claiming to be, a dialback is performed against the authority of the host. The attacker, unless they have control of DNS or the

Re: [jdev] Re: TLS and self-signed certs

2004-11-18 Thread David Waite
Nothing can be done without trust. We are using Verisign today as a trusted body for providing correct DNS records and references. -David Waite On Thu, 18 Nov 2004 05:14:02 -0800, Neil Stevens [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 18 November

[jdev] Re: TLS and self-signed certs

2004-11-18 Thread Peter Saint-Andre
In article [EMAIL PROTECTED], David Waite [EMAIL PROTECTED] wrote: One man's trusted body is another man's corruptable agency. Nothing can be done without trust. We are using Verisign today as a trusted body for providing correct DNS records and references. Shyeah, speaking of corruptible

[jdev] Re: TLS and self-signed certs

2004-11-18 Thread Peter Saint-Andre
In article [EMAIL PROTECTED], Jacek Konieczny [EMAIL PROTECTED] wrote: On Thu, Nov 18, 2004 at 09:33:05AM -0800, JD Conley wrote: If an attacker attempts to connect and provides a certificate that is not on record for the host they are claiming to be, a dialback is performed against the

[jdev] Re: TLS and self-signed certs

2004-11-18 Thread Neil Stevens
-BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 18 November 2004 10:07 am, David Waite wrote: Nothing can be done without trust. We are using Verisign today as a trusted body for providing correct DNS records and references. Funny business in DNS is easy to detect. Funny business in

[jdev] Re: TLS and self-signed certs

2004-11-18 Thread Peter Saint-Andre
In article [EMAIL PROTECTED], Neil Stevens [EMAIL PROTECTED] wrote: -BEGIN PGP SIGNED MESSAGE- Hash: SHA1 On Thursday 18 November 2004 10:07 am, David Waite wrote: Nothing can be done without trust. We are using Verisign today as a trusted body for providing correct DNS records