Penetration Testing mailing list archives

RE: Can you impersonate a client side cert??

From: "Cushing, David" <David.Cushing () hitachisoftware com>
Date: Wed, 30 Jan 2002 13:08:20 -0500

In most applications, servers only trust 
certs issued by a particular CA (perhaps a local CA) and not 
the universe of possible commercial CA's that are available 
by default in the web server (since commercial CAs typically 
have pretty week auth criteria - Verisign, for example lets 
you get one for "test purposes" using just your email 
address.)  So, using a spurious CA that you control is 
(usually) out of the question.


Many applications will also allow you to establish trust based on the
user certificate [chain] instead of a root CA certificate.  If it
supports it this is a nice way to lock things down a little more
solidly.

-David

  



----------------------------------------------------------------------------
This list is provided by the SecurityFocus Security Intelligence Alert (SIA)
Service. For more information on SecurityFocus' SIA service which
automatically alerts you to the latest security vulnerabilities please see:
https://alerts.securityfocus.com/

Current thread:

RE: Can you impersonate a client side cert?? Ed Moyle (Jan 28)
- <Possible follow-ups>
- RE: Can you impersonate a client side cert?? Jason Brvenik (Jan 28)
- RE: Can you impersonate a client side cert?? charl van der walt (Jan 28)
- Can you impersonate a client side cert?? Darren Craig (Jan 28)
  - RE: Can you impersonate a client side cert?? Bryan Allerdice (Jan 28)
  - RE: Can you impersonate a client side cert?? L Williams (Jan 28)
- RE: Can you impersonate a client side cert?? pmawson (Jan 28)
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 29)
- RE: Can you impersonate a client side cert?? Cushing, David (Jan 30)
- RE: Can you impersonate a client side cert?? Michael Howard (Jan 30)