Penetration Testing mailing list archives
RE: Can you impersonate a client side cert??
From: "Cushing, David" <David.Cushing () hitachisoftware com>
Date: Wed, 30 Jan 2002 13:08:20 -0500
In most applications, servers only trust certs issued by a particular CA (perhaps a local CA) and not the universe of possible commercial CA's that are available by default in the web server (since commercial CAs typically have pretty week auth criteria - Verisign, for example lets you get one for "test purposes" using just your email address.) So, using a spurious CA that you control is (usually) out of the question.
Many applications will also allow you to establish trust based on the user certificate [chain] instead of a root CA certificate. If it supports it this is a nice way to lock things down a little more solidly. -David ---------------------------------------------------------------------------- This list is provided by the SecurityFocus Security Intelligence Alert (SIA) Service. For more information on SecurityFocus' SIA service which automatically alerts you to the latest security vulnerabilities please see: https://alerts.securityfocus.com/
Current thread:
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 28)
- <Possible follow-ups>
- RE: Can you impersonate a client side cert?? Jason Brvenik (Jan 28)
- RE: Can you impersonate a client side cert?? charl van der walt (Jan 28)
- Can you impersonate a client side cert?? Darren Craig (Jan 28)
- RE: Can you impersonate a client side cert?? Bryan Allerdice (Jan 28)
- RE: Can you impersonate a client side cert?? L Williams (Jan 28)
- RE: Can you impersonate a client side cert?? pmawson (Jan 28)
- RE: Can you impersonate a client side cert?? Ed Moyle (Jan 29)
- RE: Can you impersonate a client side cert?? Cushing, David (Jan 30)
- RE: Can you impersonate a client side cert?? Michael Howard (Jan 30)