[16499] in cryptography@c2.net mail archive
Re: SSL/TLS passive sniffing
daemon@ATHENA.MIT.EDU (Dirk-Willem van Gulik)
Sun Dec 5 15:28:28 2004
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 1 Dec 2004 23:12:51 -0800 (PST)
From: Dirk-Willem van Gulik <dirkx@webweaving.org>
To: Anne & Lynn Wheeler <lynn@garlic.com>
Cc: Ben Nagy <bnagy@eeye.com>, cryptography@metzdowd.com
In-Reply-To: <41AE11C9.7050808@garlic.com>
On Wed, 1 Dec 2004, Anne & Lynn Wheeler wrote:
> the other attack is on the certification authorities business process
Note that in a fair number of Certificate issuing processes common in
industry the CA (sysadmin) generates both the private key -and-
certificate, signs it and then exports both to the user their PC (usually
as part of a VPN or Single Sing on setup). I've seen situations more than
once where the 'CA' keeps a copy of both on file. Generally to ensure that
after the termination of an employeee or the loss of a laptop things 'can
be set right' again.
Suffice to say that this makes evesdropping even easier.
Dw
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
