X.509 / PKI, PGP, and IBE Secure Email Technologies

Anne & Lynn Wheeler lynn at garlic.com
Fri Dec 9 17:06:34 EST 2005


James A. Donald wrote:
> However, the main point of attack is phishing, when an
> outsider attempts to interpose himself, the man in the
> middle, into an existing relationship between two people
> that know and trust each other. 

in the public key model ... whether it involves pgp, pki, digital
certificates, what-ever; the local user (relying party) has to have a
local trusted repository for public keys. in the pki model, this tends
to be restricted to public keys of certification authorities ... so that
the relying party can verify the digital signature on these
message/document constructs called digital certificates.

in the traditional, ongoing relationship scenario, relying parties
directly record authentication information of the parties they are
dealing with. if a relying party were to directly record the public key
of the people they are communicating with ... it is the trusting of that
public key and the validating of associated public key operations that
provide for the countermeasure for man-in-the-middle attacks and
phishing attacks.

the issue that has been repeatedly discussed is that supposedly the
existing SSL domain name digital certificates was to prevent
impresonation and mitm-attacks. however, because of various
infrastructure shortcomings ... an attacker can still operate with
perfectly valid SSL domain name digital certificates ... and it doesn't
stop the MITM-attack and/or phishing.

---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo at metzdowd.com



More information about the cryptography mailing list