On 1/11/06, Albert Siersema <ap...@friendly.net> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: RIPEMD160 > > > They can simply replace it with a different CA certificate, so that you > > authenticate to a server that claims to be your server but actually is a > > different server that have the same certificate name as your server but > > was issued by the CA that replaced your CA on the token. > > But doesn't storing the CA cert on the local hard drive expose you the > very same problem ? And the hard drive is always accessable, there's no > authentication to access it once you're running from it. > (or am i missing the point here ?)
Let's say that you don't run as root or Administrator, openvpn daemon or service is using configuration file you cannot modify, this configuration file refers to a CA certificate that you cannot modify either. The result is that you can access only servers that suits system administrator policy, you cannot bridge your network to foreign site. Modify this configuration requires something you don't have (Administrative permission), altering the token requires something you have (PIN). Moreover, modifying the token exposes you where-ever you go, breaking into a specific machine exposes you only in this machine. I hope it answer your question, Alon Bar-Lev.
