On 10/5/08 8:47 PM, "Graeme Ruthven" <[EMAIL PROTECTED]> wrote:
>
>> > Back to the original question, if an MFI decides to certify
>> > its own certificate, the question then becomes, how can all
>> > the computers needed to access that particular MIFO
>> > deployment get a copy of the MFI's own root certificate,
>> > reliably, knowing that it is the real one?
>
> By checking the fingerprint when it is installed.
>
> A man in the middle attack would require the attacker to generate a
> certificate with your CN and OU information, and with the same fingerprint
> as yours. A difficult proposition...
>
That may be, but in my experience in organizations, that even though you can
educate everyone to do this, tell everyone to do this, etc, you canĀ¹t really
expect everyone to do this. Much like setting password policies.
I still believe that for the costs of CACert.orgs (free) or even the ones
Andrew provided which were only a few hundred dollars would be preferable to
self-certifying for larger organizations (maybe if you have one or two
branches, its easier to manage, but when you get up to 50 computers...).
Ryan
Ryan Whitney
Mifos Technical Program Manager
[EMAIL PROTECTED]
Mifos - Technology that Empowers Microfinance (www.mifos.org)
-------------------------------------------------------------------------
This SF.Net email is sponsored by the Moblin Your Move Developer's challenge
Build the coolest Linux based applications with Moblin SDK & win great prizes
Grand prize is a trip for two to an Open Source event anywhere in the world
http://moblin-contest.org/redirect.php?banner_id=100&url=/
_______________________________________________
Mifos-functional mailing list
[email protected]
https://lists.sourceforge.net/lists/listinfo/mifos-functional
