Greg Stark wrote:
> The attack you are referring to is defeated by the client checking the
> identity that is contained in the certificate. I do not know why you are so
> sure that this checking is not normally done. IE and Netscape Nav. do it,
> for example [...]
IE 5.x does not, by default, check to see if the server or signer certificate
is revoked. These must be turned on in the advanced options. This is a real
problem because it means an attacker can break into a web site, steal their
certificates and do what they wish to do without the certificate owner able to
do anything about it because they can't revoke their certificates in a
meaningful way.
--
Michael T. Babcock (PGP: 0xBE6C1895)
http://www.fibrespeed.net/~mbabcock/
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [EMAIL PROTECTED]
Automated List Manager [EMAIL PROTECTED]