RE: SSL CA certificates

[Bob Stutes]

Thanks for the quick response!!!   Robert T. Stutes Robert Stutes Senior Unix Administrator Phoenix Networks • http://www.phoenixdsl.com Toll Free (877) 7DSL-NOW - Direct (314) 983-6161 - Fax (314) 983-7100 Email:<<mailto:[EMAIL PROTECTED]>> -----Original Message----- From: Cliff Woolley [mailto:[EMAIL PROTECTED]] Sent: Wednesday, August 09, 2000 3:20 PM To: [EMAIL PROTECTED] Subject: Re: SSL CA certificates >>> [EMAIL PROTECTED] 08/09/00 02:02PM >>> >If I obtain an SSL certificate from a top level CA (like Verisign, for >instance), can I then issue other certificates using MY cert as the CA cert? >Will browsers then execute a chain look up back to Verisign to satisfy the >validity of the cert? Nope.  Not unless your certificate is flagged as a CA certificate, which is generally not something you can get from root CA's.   Otherwise, I could use my Verisign certificate to issue a certificate for xxx.victim.com and give it to my server, aka yyy.attacker.com, and using a little DNS poisioning or some similar trick, I'd be able to get the browser to trust me with no warnings at all.  That would be bad.  =-)   --Cliff     Cliff Woolley Central Systems Software Administrator Washington and Lee University http://www.wlu.edu/~jwoolley/   Work: (540) 463-8089 Pager: (540) 462-2303