No, I am not at all confused. You are confused and immune to education and based on the number of emails I've gotten about this thread from professional security people, I'm pretty sure I'm right
David, I am a security professional, and I have the greatest respect for Rich Salz, and I have the greatest confidence in Geoff Thorpe as well.
The MITM can run separate SSL sessions to both the server and the client and proxy the plaintext between the two connections. That's well within the scope of what a MITM can do.
That's not MITM against SSL, is it? Trust != Authentication.
Since we're talking about a definition, it's impossible for everybody else to be wrong and for you to be right.
I'm happy with the company I'm in on the issue, thanks.
______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List [EMAIL PROTECTED] Automated List Manager [EMAIL PROTECTED]
