On 19/11/2010, at 10:22 AM, Matthew Wild wrote: > On 18 November 2010 23:07, David Banes <[email protected]> wrote: >> Cisco should sponsor/host it... >> > > A lonely picture of Dave hanging on some wall in the Cisco offices? I > can see it now... > > Aaaaanyway... > > The problem I see with this is - when the admin changes the certs > (e.g. they expire) - what next? We just blindly trust the new certs > after dialback? Isn't there a risk that the MITM comes along, offers a > new cert, and intercept the dialback verifications and acks it > successfully?
If the cert changes I think you have to start from scratch. > > In SSH at least you get notified (quite loudly) that the server > fingerprint has changed. Send an IM / email alert to the domain admin, drop a flag in the error/security log. > > Matthew -------------------------------------------------------------------------------------------------------- Email Filtering by Cleartext a Carbon Minimised company - www.cleartext.com --------------------------------------------------------------------------------------------------------
