Hello Alon, > mts.spb.s...@mail.ru wrote: > > Hello Alon, > > > > ABL> So as long as private keys cannot be extracted... and as long as > > ABL> the attacker does not have access to the CA private key, you are > > ABL> in a good security level. > > The CA certificate I included on the token *DOES NOT* contain it's > > private key. > > They can simply replace it with a different CA certificate, > so that you authenticate to a server that claims to be your > server but actually is a different server that have the same > certificate name as your server but was issued by the CA > that replaced your CA on the token.
But you forgot one point: If the attacker has write access to your token, you have lost anyway... Bye Goetz
