From: sameer <sameer@c2.org>
To: cypherpunks@toad.com
Message Hash: 5dbc197cf58c5c48f4a60c32e28b5d03ad945709c4597cf70c1f9beba47169b5
Message ID: <199510201540.IAA11523@infinity.c2.org>
Reply To: N/A
UTC Datetime: 1995-10-20 15:45:50 UTC
Raw Date: Fri, 20 Oct 95 08:45:50 PDT
From: sameer <sameer@c2.org>
Date: Fri, 20 Oct 95 08:45:50 PDT
To: cypherpunks@toad.com
Subject: Verisign and MITM
Message-ID: <199510201540.IAA11523@infinity.c2.org>
MIME-Version: 1.0
Content-Type: text/plain
I recently submitted a certificate request to Verisign for my
SSL web server. Looking over the process, I don't see how it avoids
MITM in any way.
The process:
A) I send to netscape-cert@versign.com the email address and phone
number of my webmaster (me) along with the cert request, generated
using SSLeay's 'req' utility.
B) I fax to Verisign a request letter saying "I have a right to use
the name Commmunity ConneXion, etc." and proof of right to use
name. (Berkeley biz liscense and Alameda Cty. fictitious bizname
statement, in my case.)
C) I snail mail them the same thing.
I don't see any mechanism in place to avoid an MITM subverting
step (A), and putting in his cert request in there. There isn't a
strong cryptographic unforgeable relationship between my
usmail/fax/proof request and the emailed kx509 cert request.
--
sameer Voice: 510-601-9777
Community ConneXion FAX: 510-601-9734
The Internet Privacy Provider Dialin: 510-658-6376
http://www.c2.org (or login as "guest") sameer@c2.org
Return to October 1995
Return to “sameer <sameer@c2.org>”