SSL, client certs, and MITM (was WYTM?)
Perry E. Metzger
perry at piermont.com
Wed Oct 22 21:05:01 EDT 2003
Ian Grigg <iang at systemics.com> writes:
> "Perry E. Metzger" wrote:
> > The cost of MITM protection is, in practice, zero.
>
> Not true! The cost is from 10 million dollars to
> 100 million dollars per annum. Those certs cost
> money, Perry!
They cost nothing at all. I use certs every day that I've created in
my own CA to provide MITM protection, and I paid no one for them. It
isn't even hard to do.
Repeat after me:
TLS is not only for protecting HTTP, and should not be mistaken for https:.
TLS is not X.509, and should not be mistaken for X.509.
TLS is also not "buy a cert from Verisign", and should not be
mistaken for "buy a cert from Verisign".
TLS is just a pretty straightforward well analyzed protocol for
protecting a channel -- full stop. It can be used in a wide variety of
ways, for a wide variety of apps. It happens to allow you to use X.509
certs, but if you really hate X.509, define an extension to use SPKI
or SSH style certs. TLS will accommodate such a thing easily. Indeed, I
would encourage you to do such a thing.
Perry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list