I recently submitted a certificate request to Verisign for my SSL web server. Looking over the process, I don't see how it avoids MITM in any way. The process: A) I send to netscape-cert@versign.com the email address and phone number of my webmaster (me) along with the cert request, generated using SSLeay's 'req' utility. B) I fax to Verisign a request letter saying "I have a right to use the name Commmunity ConneXion, etc." and proof of right to use name. (Berkeley biz liscense and Alameda Cty. fictitious bizname statement, in my case.) C) I snail mail them the same thing. I don't see any mechanism in place to avoid an MITM subverting step (A), and putting in his cert request in there. There isn't a strong cryptographic unforgeable relationship between my usmail/fax/proof request and the emailed kx509 cert request. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org