[ssl-users@mincom.oz.au deleted from the distribution, as I am not on that list] At 3:40 PM 10/20/95, sameer wrote:
I recently submitted a certificate request to Verisign for my SSL web server. Looking over the process, I don't see how it avoids MITM in any way.
....
I don't see any mechanism in place to avoid an MITM subverting step (A), and putting in his cert request in there. There isn't a strong cryptographic unforgeable relationship between my usmail/fax/proof request and the emailed kx509 cert request.
An interesting "direct demonstration" of this would be to get a certificate generated for a well-known company, institution, or political candidate. This would demonstrate the flaws in the e-mai/fax/snailmail process like nothing else. (Tangential note: Of course, my fear is always that exposing such flaws shows that "we need a national identity system." After all, what Sameer is describing is implicit in the fact that neither e-mail, nor a fax, nor snail mail, is proof that an entity exists, or that the paperwork represents the entity. That's a tough nut to crack, absent an "is-a-person" or "is-an-institution" credentialling system.) --Tim May Views here are not the views of my Internet Service Provider or Government. ---------:---------:---------:---------:---------:---------:---------:---- Timothy C. May | Crypto Anarchy: encryption, digital money, tcmay@got.net 408-728-0152 | anonymous networks, digital pseudonyms, zero Corralitos, CA | knowledge, reputations, information markets, Higher Power: 2^756839 | black markets, collapse of governments. "National borders are just speed bumps on the information superhighway."