Re: SSL certificate modification
From: Anne & Lynn Wheeler (lynn@garlic.com)Date: 10/10/02
- Next message: John Elsbury: "Re: How can I prevent a student to install softwares on windows 98 machines?"
- Previous message: Bill Crocker: "Re: HIDING PERSONAL INFO ON COMPUTER"
- In reply to: Henrick Hellström: "Re: SSL certificate modification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
From: Anne & Lynn Wheeler <lynn@garlic.com> Date: Thu, 10 Oct 2002 21:04:41 GMT
Henrick Hellström <henrick.hellstrm@telia.com> writes:
> That's only one reason for the existance of SSL server
> certificates. The other reason, which IMHO is even more important, is
> that certificates contains certified public keys which are used during
> the SSL handshake and e.g. prevents man-in-the-middle attacks.
see later in the (same) post regarding near real time serving of trusted
public keys ... as opposed to stale,
http://www.garlic.com/~lynn/2002m.html#64 SSL certificate modification
aka that the CA requirement for improving domain name infrastructure
by having the domain name infrastructure register public keys at
the same time they register the domain name:
1) improves the integrity of the domain name infrastructure so that
the CAs can trust the information ... but if the CAs can trust the
information ... then other people can trust the information ... by
implication then the domain name infrastructure is a trusted server
... a catch-22 that eliminates the main reason for having SSL domain
name certificates ... aka i've actually heard of real situations
involving domain name take over and impersonation, i have yet to hear
of a situation of real actual a significant mitm attacks.
2) if public keys are registered as part of #1 ... and also by #1 the
domain name infrastructure is a trusted server ... then the existing
domain name infrastructure can to trusted, near real time serving of
public keys ... which is significantly better than the stale
information paradigm implemented with certificates. as noted
previously ... the domain name infrastructure is implemented to serve
up general information ... not just ip-addresses.
not mentioned in the previous posting, that with the ability to obtain
both the real trusted ip-address and the trusted public key in a
single operation ... there can be a reduction in the SSL protocol
handshaking chatter as part of setting up a session. The client as
part of the original contact to the server ... include a SSL setup
request piggybacked with the random session key (encrypted with the
the server's public key) and the acceptable symmetric algorithms. The
server responds with its choice of algorithm and the number of bits
used from the random session key and everything else encrypted with
the random session key. In theory, the SSL session could be setup and
running in a single round trip.
a) trusted public key obtained in the same domain name infrastructure
transaction that is already performed to obtain the ip-address. this
is near real-time status ... and doesn't suffer the shortcomings of
stale credential information that may need some sort of CRL broadcast
to invalidate information aka current SSL domain name certificates
aren't a real PKI infrastructure since it lacks the management of
revoked/changed information ... say something like periodic broadcasts
of CRLs to all possible browsers in the world.
b) since the client already has the server's public key prior to
contacting the server ... SSL session setup chatter might be reduced
to single round-trip ... piggybacked as part of the initial session
setup.
as before .... (numerous) other postings with these observations:
http://www.garlic.com/~lynn/subtopic.html#sslcerts
-- Anne & Lynn Wheeler | lynn@garlic.com - http://www.garlic.com/~lynn/
- Next message: John Elsbury: "Re: How can I prevent a student to install softwares on windows 98 machines?"
- Previous message: Bill Crocker: "Re: HIDING PERSONAL INFO ON COMPUTER"
- In reply to: Henrick Hellström: "Re: SSL certificate modification"
- Messages sorted by: [ date ] [ thread ] [ subject ] [ author ] [ attachment ]
Relevant Pages
|
