[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Verisign and MITM

To: [email protected]
Subject: Verisign and MITM
From: sameer <[email protected]>
Date: Fri, 20 Oct 1995 08:40:21 -0700 (PDT)
Cc: [email protected]
Sender: [email protected]

	I recently submitted a certificate request to Verisign for my
SSL web server. Looking over the process, I don't see how it avoids
MITM in any way.

The process:

A) I send to [email protected] the email address and phone
number of my webmaster (me) along with the cert request, generated
using SSLeay's 'req' utility.

B) I fax to Verisign a request letter saying "I have a right to use
the name Commmunity ConneXion, etc." and proof of right to use
name. (Berkeley biz liscense and Alameda Cty. fictitious bizname
statement, in my case.)

C) I snail mail them the same thing.


	I don't see any mechanism in place to avoid an MITM subverting
step (A), and putting in his cert request in there. There isn't a
strong cryptographic unforgeable relationship between my
usmail/fax/proof request and the emailed kx509 cert request.


-- 
sameer						Voice:   510-601-9777
Community ConneXion				FAX:	 510-601-9734
The Internet Privacy Provider			Dialin:  510-658-6376
http://www.c2.org (or login as "guest")			[email protected]

Follow-Ups:
- Re: Verisign and MITM
  - From: Hal <[email protected]>

Prev by Date: Re: Don't Kill the Messenger--A New Slant on Remailers
Next by Date: Re: digital cash and identity disclosure
Prev by thread: Denver area meeting, SUNDAY, 10/22, 2 pm
Next by thread: Re: Verisign and MITM
Index(es):
- Date
- Thread