[JDEV] Dialback and STARTTLS

Justin Karneges justin-keyword-jabber.093179 at affinix.com
Fri Nov 21 13:46:44 CST 2003

On Friday 21 November 2003 04:35 am, Matthias Wimmer wrote:
> Hi Justin!
> Justin Karneges schrieb am 2003-11-21 01:34:41:
> > I have always wondered if maybe the JSF could act as an independent CA,
> > to create free certs for everyone.  It would mean that servers (and
> > clients too, I suppose) would have to bundle the JSF certificate, but
> > this would not be a huge deal.
> > I'm not sure how the JSF would handle proper identification of those who
> > apply..   Maybe it could just be a simple first-come first-serve thing,
> > and if someone else gets a cert for your domain before you do, then you
> > can ping stpeter to resolve the dispute. ;-)
> I don't see what we would get from this solution. Isn't it harder to
> manipulate DNS entries or IP addresses than to just be the first that
> requests for a certificate?

I believe you need an active attack no matter what.  With the JSF issuing 
certificates, it would make it that much more complicated to attack 
effectively.  Working at an ISP would not be enough to perform an attack.  
You'd have to compromise the JSF servers or cert registration system somehow.

And being the first to register for a particular domain isn't going to get an 
attacker very far.  The actual server owner isn't going to be using the cert, 
and he could prove that he never got the it by simply asking JSF members to 
connect to his server and see that fact.  I think an attacker would have his 
hands full trying to make this appear otherwise.


More information about the JDev mailing list