J. Wren Hunt wrote:
If the email in question is being used by the CA to verify ownership of
the domain then yes, encryption would foil the attacker's ability to
perform any related change predicated of course on an existing
relationship between CA and its client. Or more simply, if you divert my
unencrypted mail you may act on the information you receive and I will
be none the wiser (at least in the short term). Divert my encrypted mail
and neither of us can act; you can't because you can't decrypt and I
because I wouldn't be aware of the now missing missive anyway.
Yes, but that's not the attack. The original problem
here - I think, correct please if wrong - was that I
being the bad guy decide to get a cert for your domain.
I do the natty DNS poisoning trick that Nelson spoke
of. I create a key and I send it to the CA. Then the
CA sends back an encrypted email to that key, I
decrypt it, and follow the instructions...
You the original domain owner never get involved...
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
mozilla-crypto mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-crypto
