From: Jim Choate <ravage@EINSTEIN.ssz.com>
To: cypherpunks@toad.com
Message Hash: 633036c2ebb2d6558a3e917cc82889e43f0603dfe623e85b1e4fe9c273d4999f
Message ID: <199701202326.PAA23000@toad.com>
Reply To: N/A
UTC Datetime: 1997-01-20 23:26:10 UTC
Raw Date: Mon, 20 Jan 1997 15:26:10 -0800 (PST)
From: Jim Choate <ravage@EINSTEIN.ssz.com>
Date: Mon, 20 Jan 1997 15:26:10 -0800 (PST)
To: cypherpunks@toad.com
Subject: Server Authentication
Message-ID: <199701202326.PAA23000@toad.com>
MIME-Version: 1.0
Content-Type: text/plain
Forwarded message:
Forwarded message:
> Date: Mon, 20 Jan 1997 09:26:05 -0800 (PST)
> From: Eric Murray <ericm@lne.com>
> Subject: Re: Server Authentication
>
> I think that you can get access to the server's certificate.
> I know you can from the CGI interface. Unfortunately it's the
> raw ASN.1 encoded certificate, so you would have to ASN.1 decode it.
> Bleah.
>
> If the SSL handshake completes, then you can assume that the client
> has verified and authenticated the server certificate. The only problem
> would be that the authentication might not be up to the plugin's standards-
> i.e. a connection to www.foo.com is somehow intercepted by
> www.ripoff-plugins.com. The server www.ripoff-plugins.com presents a cert
> who's name is www.foo.com. The browser correctly presents a pop-up dialog
> noting the discrepancy, and the luser operating the client clicks
> on the 'OK' button, allowing the SSL handshake to finish. Oops.
Isn't LDAP v3 supposed to answer some of these questions related to server
authentication as well anonymity of the users site (if desired)?
Jim Choate
CyberTects
ravage@ssz.com
Return to January 1997
Return to “Jim Choate <ravage@EINSTEIN.ssz.com>”
1997-01-20 (Mon, 20 Jan 1997 15:26:10 -0800 (PST)) - Server Authentication - Jim Choate <ravage@EINSTEIN.ssz.com>