* Patrick Patterson wrote on Sun, Feb 07, 2010 at 10:14 -0500: > > A quick question here. Should the Certificate Signing Request message be > > protected when requesting for Certificate from CA?
I think, if you want to certify that a public matches subject description, of course you should authenticate both. > The first question, is "How are you protecting this channel?" - there > are several common ways. For instance, in many models, the Subscriber > logs into an interface (usually a web site) provided by the CA, which is > protected by SSL/TLS, using one or more codes provided to that If you already have a mutual trust, why would you want to create an additional certificate? I think, for renewal, strictly speaking, this might not be the best, if the keys or certs are changed due to security reasons it seems doubtfull to protect the renewal process by exactly the keys/certs to be changed. > Properly done, there is very little room for a MITM attack to succeed. > However, to further mitigate this... I think it feels a bit like pulling yourself up by your bootstraps... Often it is not possible to increase the security level by the security that is to be increased, is it? oki, Steffen -- ------------------------------------------------------------------->8======= About Ingenico: Ingenico is a leading provider of payment solutions, with over 15 million terminals deployed in more than 125 countries. Its 2,850 employees worldwide support retailers, banks and service providers to optimize and secure their electronic payments solutions, develop their offer of services and increase their point of sales revenue. More information on http://www.ingenico.com/. This message may contain confidential and/or privileged information. If you are not the addressee or authorized to receive this for the addressee, you must not use, copy, disclose or take any action based on this message or any information herein. If you have received this message in error, please advise the sender immediately by reply e-mail and delete this message. Thank you for your cooperation. P Please consider the environment before printing this e-mail ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org