[
Lists Home |
Date Index |
Thread Index
]
> Indeed, if I get to filter *all* your accesses to the net, I can make
> you believe anything I want, by masquerading as all possible trusted
> third parties. There's nothing to be done about this.
Well, kinda, but not really. If I have a certificate from, say,
the real CA (i.e., Verisign), then you can't spoof me, you can only
deny me access. That's why PKI (public key infrastructure) talks
about "out of band" configuration or validation of the root key.
In the Web world, all SSL-speaking browsers come with a list of root
certificates for CA's that issue SSL-certs. As long as you trust
the certs that came with your browser, then even if I am sitting
as a lonely island completely with everyone one of my IP packets
under your control, you can't fool me.
/r$
--
Rich Salz Chief Security Architect
DataPower Technology http://www.datapower.com
XS40 XML Security Gateway http://www.datapower.com/products/xs40.html
XML Security Overview http://www.datapower.com/xmldev/xmlsecurity.html
|
