An auditor said it, so it must be true :-)) Just kidding.
-----Original Message----- From: IBM Mainframe Discussion List [mailto:[EMAIL PROTECTED] On Behalf Of Ulrich Boche Sent: Monday, October 06, 2008 10:17 AM To: [email protected] Subject: Re: Digital Certificate Implementation TN3270 Hal Merritt wrote: > That was then. This is now. The target continues to move. Plan on client > certificates if you are subject to privacy regulations. > > The reason I was given is that server only authentication is vulnerable > to a 'man in the middle' attack vector. > > HTH and good luck. > Client certificates allow the server to authenticate the client. The use of client certificates has no bearing whatsoever on the prevention of man-in-the-middle attacks. To prevent this kind of attack with a mainframe emulation, you need to make sure that your client (such as IBM PCOMM): 1. only recognizes trusted Certification Authorities (like Verisign or your own company CA) for server certificates. 2. has the option selected to verify the hostname. In this case, the cn= attribute in the subject's name in the server certificate must be identical to the hostname. Alternatively, the altName= attribute can be used in the certificate to specify the hostname. IBM PCOMM does not accept self-signed server certificates. This is helpful in preventing MITM attacks. -- Ulrich Boche SVA GmbH, Germany IBM Premier Business Partner ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html NOTICE: This electronic mail message and any files transmitted with it are intended exclusively for the individual or entity to which it is addressed. The message, together with any attachment, may contain confidential and/or privileged information. Any unauthorized review, use, printing, saving, copying, disclosure or distribution is strictly prohibited. If you have received this message in error, please immediately advise the sender by reply email and delete all copies. ---------------------------------------------------------------------- For IBM-MAIN subscribe / signoff / archive access instructions, send email to [EMAIL PROTECTED] with the message: GET IBM-MAIN INFO Search the archives at http://bama.ua.edu/archives/ibm-main.html
