Security Basics mailing list archives

RE: CERTIFICATE

From: "Ziemniak, Terrence M." <tziemn2 () searshc com>
Date: Mon, 28 Jan 2008 13:07:00 -0500

Encryption and authentication are independent of each other.

Holding a valid certificate says that the signing authority (e.g.
Verisign) attests that you (i.e. the web server servicing your site) are
who you claim to be.  Conversely if your certificate is not accepted by
your browser (due to name conflict, expiration, or revocation) your
identity is in question.

But if you accept the invalid certificate, the server and client will
still utilize HTTPS based on whatever configuration they can negotiate.
So yes the data will still by encrypted.  If you want to see this in
action, fire up wireshark.

Other uses of certificates may get a little more complicated.  For
example if you use certificates to authenticate to VPN, an expired cert
will prevent you from getting onto the VPN. But in that case you are
still not running cleartext - you are just not running at all.

Terry

-----Original Message-----
From: listbounce () securityfocus com [mailto:listbounce () securityfocus com]
On Behalf Of anon () yahoo com
Sent: Monday, January 28, 2008 1:28 AM
To: security-basics () securityfocus com
Subject: CERTIFICATE

could someone tell me what would happen to encrypted traffic if you have
an expired certificate?? Does the traffic flow in clear text
henceforth?? or just that the credebility of traffic from that source
cannot be accounted for??

Current thread:

CERTIFICATE anon (Jan 28)
- RE: CERTIFICATE benoni.martin (Jan 28)
- Re: CERTIFICATE Mark Owen (Jan 28)
- Re: CERTIFICATE Geoffrey Gowey (Jan 28)
- Re: CERTIFICATE Aaron Howell (Jan 28)
- Re: CERTIFICATE PCSC Information Services (Jan 28)
- Re: CERTIFICATE Ali, Saqib (Jan 28)
- RE: CERTIFICATE Roantree, Conor (Jan 29)
- <Possible follow-ups>
- RE: CERTIFICATE Ziemniak, Terrence M. (Jan 28)
  - Re: CERTIFICATE Ryan Chow (Jan 29)
- Re: RE: CERTIFICATE anonymous (Jan 29)