Verisign and MITM

[Timothy C. May]

[ssl-users at mincom.oz.au deleted from the distribution, as I am not on that list]

At 3:40 PM 10/20/95, sameer wrote:
>        I recently submitted a certificate request to Verisign for my
>SSL web server. Looking over the process, I don't see how it avoids
>MITM in any way.
....
>        I don't see any mechanism in place to avoid an MITM subverting
>step (A), and putting in his cert request in there. There isn't a
>strong cryptographic unforgeable relationship between my
>usmail/fax/proof request and the emailed kx509 cert request.

An interesting "direct demonstration" of this would be to get a certificate
generated for a well-known company, institution, or political candidate.
This would demonstrate the flaws in the e-mai/fax/snailmail process like
nothing else.

(Tangential note: Of course, my fear is always that exposing such flaws
shows that "we need a national identity system." After all, what Sameer is
describing is implicit in the fact that neither e-mail, nor a fax, nor
snail mail, is proof that an entity exists, or that the paperwork
represents the entity. That's a tough nut to crack, absent an "is-a-person"
or "is-an-institution" credentialling system.)

--Tim May

Views here are not the views of my Internet Service Provider or Government.
---------:---------:---------:---------:---------:---------:---------:----
Timothy C. May              | Crypto Anarchy: encryption, digital money,
tcmay at got.net  408-728-0152 | anonymous networks, digital pseudonyms, zero
Corralitos, CA              | knowledge, reputations, information markets,
Higher Power: 2^756839      | black markets, collapse of governments.
"National borders are just speed bumps on the information superhighway."