SSL, client certs, and MITM (was WYTM?)
Thor Lancelot Simon
tls at rek.tjls.com
Wed Oct 22 19:02:07 EDT 2003
On Wed, Oct 22, 2003 at 05:08:32PM -0400, Tom Otvos wrote:
> >
> > So what purpose would client certificates address? Almost all of the use
> > of SSL domain name certs is to hide a credit card number when a consumer
> > is buying something. There is no requirement for the merchant to
> > identify and/or authenticate the client .... the payment infrastructure
> > authenticates the financial transaction and the server is concerned
> > primarily with getting paid (which comes from the financial institution)
> > not who the client is.
> >
>
> The CC number is clearly not hidden if there is a MITM.
Can you please posit an *exact* situation in which a man-in-the-middle
could steal the client's credit card number even in the presence of a
valid server certificate? Can you please explain *exactly* how using a
client-side certificate rather than some other form of client authentication
would prevent this?
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list