> In most applications, servers only trust > certs issued by a particular CA (perhaps a local CA) and not > the universe of possible commercial CA's that are available > by default in the web server (since commercial CAs typically > have pretty week auth criteria - Verisign, for example lets > you get one for "test purposes" using just your email > address.) So, using a spurious CA that you control is > (usually) out of the question.
Many applications will also allow you to establish trust based on the user certificate [chain] instead of a root CA certificate. If it supports it this is a nice way to lock things down a little more solidly. -David ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
