|
>>> [EMAIL PROTECTED] 08/09/00 02:02PM >>>
>If I obtain an SSL certificate from a top level CA (like Verisign, for >instance), can I then issue other certificates using MY cert as the CA cert? >Will browsers then execute a chain look up back to Verisign to satisfy the >validity of the cert? Nope. Not unless your certificate is flagged as a CA certificate,
which is generally not something you can get from root CA's.
Otherwise, I could use my Verisign certificate to issue a certificate for
xxx.victim.com and give it to my server, aka yyy.attacker.com, and using a
little DNS poisioning or some similar trick, I'd be able to get the browser to
trust me with no warnings at all. That would be bad. =-)
--Cliff
Cliff Woolley
Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/ Work: (540) 463-8089
Pager: (540) 462-2303 |
- SSL CA certificates Bob Stutes
- data decryption error Cliff Woolley
- data decryption error Ryan Olf
- RE: SSL CA certificates Bob Stutes
