mts.spb.s...@mail.ru wrote:
Hello Alon,
ABL> Sure! I recommend of doing so.
OK.
ABL> So as long as private keys cannot be extracted... and as long as
ABL> the attacker does not have access to the CA private key, you are
ABL> in a good security level.
The CA certificate I included on the token *DOES NOT* contain it's
private key.
Do you mean the brute-force against CA's public key?
They can simply replace it with a different CA certificate,
so that you authenticate to a server that claims to be your
server but actually is a different server that have the same
certificate name as your server but was issued by the CA
that replaced your CA on the token.
ABL> ... if the user can select any openvpn configuration he can alter
ABL> your network trust and bridge it to unauthorized foreign
ABL> networks...
Oh! Yes, now I see!
I am glad!
Best Regards,
Alon Bar-Lev.
