Server Authentication

Jim Choate ravage at EINSTEIN.ssz.com
Mon Jan 20 15:26:10 PST 1997



Forwarded message:

 Forwarded message:
 
> Date: Mon, 20 Jan 1997 09:26:05 -0800 (PST)
> From: Eric Murray <ericm at lne.com>
> Subject: Re: Server Authentication
> 
> I think that you can get access to the server's certificate.
> I know you can from the CGI interface.  Unfortunately it's the
> raw ASN.1 encoded certificate, so you would have to ASN.1 decode it.
> Bleah.
> 
> If the SSL handshake completes, then you can assume that the client
> has verified and authenticated the server certificate.   The only problem
> would be that the authentication might not be up to the plugin's standards-
> i.e.  a connection to www.foo.com is somehow intercepted by
> www.ripoff-plugins.com.  The server www.ripoff-plugins.com presents a cert
> who's name is www.foo.com.  The browser correctly presents a pop-up dialog
> noting the discrepancy, and the luser operating the client clicks
> on the 'OK' button, allowing the SSL handshake to finish.  Oops.
 
Isn't LDAP v3 supposed to answer some of these questions related to server
authentication as well anonymity of the users site (if desired)?
 
                                                 Jim Choate
                                                 CyberTects
                                                 ravage at ssz.com
 
 







More information about the cypherpunks-legacy mailing list