17 Dec
2003
17 Dec
'03
11:17 p.m.
Tim Dierks wrote:
The only effort they make is that when using the email-based CA, it mails the certificate to the address within, so it's not trivial to get a cert for an address that you don't have access to. (I'm not saying it's impossible, or even hard, just that it requires some skill and effort).
For example, see http://www.digicrime.com/id.html . I believe they got these certificates using the Web, rather than e-mail. I think with e-mail, you'd actually have to be running a packet sniffer or doing an active attack such as DNS spoofing. However, the Web is much, much more convenient. In any case, the page I referenced above is worthwhile reading. Raph