On Wed, Sep 26, 2007 at 03:58:08PM -0700, David Schwartz wrote:
> I am not enough of an expert to comment for sure on this, but it seems that
> there would be no harm in using the certificate for this purpose. A MITM
> cannot create an SSL session that uses the same certificate as the real
> server because that would mean the MITM would have to know the same private
> key the real server is using.
> > David's proposal very likely works for him, but IMHO is bad advice,
> > because the sophistication required to execute it correctly is too high.
>
> Do you know any other good way to get MITM detection other than a
> certificate issued by a trusted CA? For some applications, that's just not
> what you want.
Use a self-signed cert and and a trusted source of peer<->cert or cert
fingerprint mappings. The public CA is just one mapping function.
--
Viktor.
______________________________________________________________________
OpenSSL Project http://www.openssl.org
User Support Mailing List [email protected]
Automated List Manager [EMAIL PROTECTED]
