[WEB SECURITY] Improving Authentication on the Internet

Paul Schmehl pauls at utdallas.edu
Thu May 12 10:39:58 EDT 2005


--On Thursday, May 12, 2005 11:21:53 AM +0200 Mitja Kolsek 
<mitja.kolsek at acrossecurity.com> wrote:
>
> I'm interested in knowing if others on this list have similar experiences
> in their local environments. The way I see it, if someone "forces" you to
> install a new trusted root cert, we need a process for verifying its
> authenticity. One way would be to use transitivity and provide download of
> newcert.cer via an HTTPS connection authenticating the site owner with an
> already trusted root cert like Verisign or Thawte. Another would be for
> the officials to provide - written and in person - the newcert.cer's
> fingerprint to users at the time of users' enrollment, along with
> instructions for newcert's validation upon download. Any other ideas?
>
I'm not disagreeing with your analysis, but wouldn't your method invalidate 
the need for the local root cert?  If you're going to trust Verisign to 
affirm the authenticity of the local root cert, then you're back to the 
same place you were before you created your own - trusting the existing 
root certs.

Aren't you?

Paul Schmehl (pauls at utdallas.edu)
Adjunct Information Security Officer
The University of Texas at Dallas
AVIEN Founding Member
http://www.utdallas.edu

---------------------------------------------------------------------
The Web Security Mailing List
http://www.webappsec.org/lists/websecurity/



More information about the websecurity mailing list