Path: utzoo!utgpu!jarvis.csri.toronto.edu!rutgers!usc!zaphod.mps.ohio-state.edu!think!ames!purdue!decwrl!ucbvax!CCC.NMFECC.GOV!NESSETT
From: NESSETT@CCC.NMFECC.GOV
Newsgroups: comp.protocols.iso
Subject: Re: X.509 vulnerabilities
Message-ID: <891220084050.22200126@CCC.NMFECC.GOV>
Date: 20 Dec 89 16:40:50 GMT
Sender: daemon@ucbvax.BERKELEY.EDU
Organization: The Internet
Lines: 24

There was one item raised in the recent discussion of certificates that I feel
requires further comment.  At least two correspondents pointed out that a recent
paper in the Symposium on Operating System Principles notes a vulnerability in
X.509.  Not having received the proceedings of that symposium as yet, I asked
people who are members of the privacy and security research group if they had
seen the paper.  The chairman of that group, Steve Kent of BBN, sent me the
following reply.

---------------------------forwarded message-----------------------------

> Dan,

> 	The paper in SOSP notes a vulnerability in the 509 authentication
> protocol, which has nothing to do with our use of certificates in mail
> or with certificates in general.  It is a typical oversight in the
> protocol design for the three-way handshake and the paper even proposes
> a fix.  So, I don't see this criticism of 509 being a significant issue,
> just a condemnation of the sloppiness of the standards process.

> Steve

---------------------------end of forwarded message----------------------

Dan Nessett