Verisign and MITM
I recently submitted a certificate request to Verisign for my SSL web server. Looking over the process, I don't see how it avoids MITM in any way. The process: A) I send to netscape-cert@versign.com the email address and phone number of my webmaster (me) along with the cert request, generated using SSLeay's 'req' utility. B) I fax to Verisign a request letter saying "I have a right to use the name Commmunity ConneXion, etc." and proof of right to use name. (Berkeley biz liscense and Alameda Cty. fictitious bizname statement, in my case.) C) I snail mail them the same thing. I don't see any mechanism in place to avoid an MITM subverting step (A), and putting in his cert request in there. There isn't a strong cryptographic unforgeable relationship between my usmail/fax/proof request and the emailed kx509 cert request. -- sameer Voice: 510-601-9777 Community ConneXion FAX: 510-601-9734 The Internet Privacy Provider Dialin: 510-658-6376 http://www.c2.org (or login as "guest") sameer@c2.org
sameer <sameer@c2.org> writes:
I recently submitted a certificate request to Verisign for my SSL web server. Looking over the process, I don't see how it avoids MITM in any way. [...] I don't see any mechanism in place to avoid an MITM subverting step (A), and putting in his cert request in there. There isn't a strong cryptographic unforgeable relationship between my usmail/fax/proof request and the emailed kx509 cert request.
I guess the one limitation is that you would either not get the certificate (because the MITM kept it) or you would find out that it did not include your public key (if he forwarded it to you). In either case the MITM would be discovered. In the mean time he could wreak some havoc, though. But he would be found out after a few days. That's one of the things they need Certificate Revocation Lists for in their system, but I don't know if they are used. Hal
participants (2)
-
Hal -
sameer