SSL/TLS passive sniffing
Dirk-Willem van Gulik
dirkx at webweaving.org
Thu Dec 2 02:12:51 EST 2004
On Wed, 1 Dec 2004, Anne & Lynn Wheeler wrote:
> the other attack is on the certification authorities business process
Note that in a fair number of Certificate issuing processes common in
industry the CA (sysadmin) generates both the private key -and-
certificate, signs it and then exports both to the user their PC (usually
as part of a VPN or Single Sing on setup). I've seen situations more than
once where the 'CA' keeps a copy of both on file. Generally to ensure that
after the termination of an employeee or the loss of a laptop things 'can
be set right' again.
Suffice to say that this makes evesdropping even easier.
Dw
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com
More information about the cryptography
mailing list