Verisign and MITM
Hal
hfinney at shell.portal.com
Sat Oct 21 13:53:08 PDT 1995
sameer <sameer at c2.org> writes:
> I recently submitted a certificate request to Verisign for my
>SSL web server. Looking over the process, I don't see how it avoids
>MITM in any way.
>[...]
> I don't see any mechanism in place to avoid an MITM subverting
>step (A), and putting in his cert request in there. There isn't a
>strong cryptographic unforgeable relationship between my
>usmail/fax/proof request and the emailed kx509 cert request.
I guess the one limitation is that you would either not get the
certificate (because the MITM kept it) or you would find out that it did
not include your public key (if he forwarded it to you). In either case
the MITM would be discovered. In the mean time he could wreak some
havoc, though. But he would be found out after a few days. That's one
of the things they need Certificate Revocation Lists for in their system,
but I don't know if they are used.
Hal
More information about the cypherpunks-legacy
mailing list