[14702] in cryptography@c2.net mail archive
Re: SSL, client certs, and MITM (was WYTM?)
daemon@ATHENA.MIT.EDU (Thor Lancelot Simon)
Wed Oct 22 19:14:01 2003
X-Original-To: cryptography@metzdowd.com
X-Original-To: cryptography@metzdowd.com
Date: Wed, 22 Oct 2003 19:02:07 -0400
From: Thor Lancelot Simon <tls@rek.tjls.com>
To: Tom Otvos <tom.otvos@rogers.com>
Cc: cryptography@metzdowd.com
Reply-To: tls@rek.tjls.com
In-Reply-To: <MEEBJOIIAAPOFDCDLKFPIEEDDCAA.tom.otvos@rogers.com>
On Wed, Oct 22, 2003 at 05:08:32PM -0400, Tom Otvos wrote:
> >
> > So what purpose would client certificates address? Almost all of the use
> > of SSL domain name certs is to hide a credit card number when a consumer
> > is buying something. There is no requirement for the merchant to
> > identify and/or authenticate the client .... the payment infrastructure
> > authenticates the financial transaction and the server is concerned
> > primarily with getting paid (which comes from the financial institution)
> > not who the client is.
> >
>
> The CC number is clearly not hidden if there is a MITM.
Can you please posit an *exact* situation in which a man-in-the-middle
could steal the client's credit card number even in the presence of a
valid server certificate? Can you please explain *exactly* how using a
client-side certificate rather than some other form of client authentication
would prevent this?
Thor
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majordomo@metzdowd.com
