[5660] in Kerberos
Re: SSL as Kerb replacement
daemon@ATHENA.MIT.EDU (Donald T. Davis)
Thu Aug 10 19:57:42 1995
To: kerberos@MIT.EDU
Cc: bkelley@cat.cup.hp.com
Date: Thu, 10 Aug 1995 19:48:57 -0400
From: "Donald T. Davis" <don@cam.ov.com>
here is bob kelley's response to my discussion
of my man-in-the-middle attack on ssl. i have
responded to him in private e-mail. if there's
interest, i'll summarize the conclusion of our
exchanges for the list, once we're done.
-don davis, boston
------- Forwarded Message
From: Bob Kelley <bkelley@cat.cup.hp.com>
Subject: Re: SSL as Kerb replacement
To: don@cam.ov.com (Donald T. Davis)
Date: Thu, 10 Aug 1995 15:25:17 -0700 (PDT)
Hi Don,
Thanks for the note. The original note I saw from you
was on the usenet group for kerberos. Are there any
mailing lists dedicated to kerberos that you are on?
I would like to subscribe to these.
I think your concern over the top level CA public key's
authenticity may be a little too great. I mean right now
it is true that the rsa/verisign an netscape ca public
keys are hardcoded into the sslref2.0 from netscape. In
my version, I could just have them reference a directory
of trusted CA public key certs that have been verified somehow
by the administrator. For people who are very concerned
about the CA certs, we could set up delivery processes
to provide the certs securely: fingerd/httpd, FAX, normal
mail, or phone confirmation. By using multiple approval
channels, I think I could be 100% sure of the CA cert.
- --
Bob Kelley Bkelley@cup.hp.com 1-(408)-447-2841
Hewlett-Packard 19420 Homestead Road MS 43LF Cupertino, CA 95014
(PGP pubkey available from bkelley-pgp-pubkey@cat.cup.hp.com)
------- End of Forwarded Message
