[Date Prev][Date Next][Thread Prev][Thread Next][Date Index][Thread Index]

Re: Verisign and MITM

sameer <[email protected]> writes:

>	I recently submitted a certificate request to Verisign for my
>SSL web server. Looking over the process, I don't see how it avoids
>MITM in any way.
>	I don't see any mechanism in place to avoid an MITM subverting
>step (A), and putting in his cert request in there. There isn't a
>strong cryptographic unforgeable relationship between my
>usmail/fax/proof request and the emailed kx509 cert request.

I guess the one limitation is that you would either not get the
certificate (because the MITM kept it) or you would find out that it did
not include your public key (if he forwarded it to you).  In either case
the MITM would be discovered.  In the mean time he could wreak some
havoc, though.  But he would be found out after a few days.  That's one
of the things they need Certificate Revocation Lists for in their system,
but I don't know if they are used.