Security Basics mailing list archives

Re: CERTIFICATE

From: Ryan Chow <rynchow () gmail com>
Date: Mon, 28 Jan 2008 20:23:36 -0600

Whilst from an information security perspective the data beingexchanged is still being encrypted, there is a liability issue withtrusting an expired certificate.

If the certificate was issued by a Trusted Third Party (not from aninternal Certification Authority) i.e VeriSign, by trusting an expiredcertificate if there were to be any issues then there maybe norecourse for damages due to there being a waiver to liability.

You can find out more by obtaining the Certification PracticeStatement and applicable Certificate Policy from the Trusted ThirdParty which will outline the legal liability.


regards,

Ryan.

On 28/01/2008, at 12:07 PM, Ziemniak, Terrence M. wrote:

Encryption and authentication are independent of each other.

Holding a valid certificate says that the signing authority (e.g.
Verisign) attests that you (i.e. the web server servicing your site)arewho you claim to be. Conversely if your certificate is not acceptedby
your browser (due to name conflict, expiration, or revocation) your
identity is in question.

But if you accept the invalid certificate, the server and client will
still utilize HTTPS based on whatever configuration they cannegotiate.
So yes the data will still by encrypted.  If you want to see this in
action, fire up wireshark.

Other uses of certificates may get a little more complicated.  For
example if you use certificates to authenticate to VPN, an expiredcert
will prevent you from getting onto the VPN. But in that case you are
still not running cleartext - you are just not running at all.

Terry

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of anon () yahoo com
Sent: Monday, January 28, 2008 1:28 AM
To: security-basics () securityfocus com
Subject: CERTIFICATE
could someone tell me what would happen to encrypted traffic if youhave
an expired certificate?? Does the traffic flow in clear text
henceforth?? or just that the credebility of traffic from that source
cannot be accounted for??

Current thread:

CERTIFICATE anon (Jan 28)
- RE: CERTIFICATE benoni.martin (Jan 28)
- Re: CERTIFICATE Mark Owen (Jan 28)
- Re: CERTIFICATE Geoffrey Gowey (Jan 28)
- Re: CERTIFICATE Aaron Howell (Jan 28)
- Re: CERTIFICATE PCSC Information Services (Jan 28)
- Re: CERTIFICATE Ali, Saqib (Jan 28)
- RE: CERTIFICATE Roantree, Conor (Jan 29)
- <Possible follow-ups>
- RE: CERTIFICATE Ziemniak, Terrence M. (Jan 28)
  - Re: CERTIFICATE Ryan Chow (Jan 29)
- Re: RE: CERTIFICATE anonymous (Jan 29)