Re: Digital Certificate Implementation TN3270
- From: ulrich.boche@xxxxxx (Ulrich Boche)
- Date: 6 Oct 2008 08:17:46 -0700
Hal Merritt wrote:
That was then. This is now. The target continues to move. Plan on clientClient certificates allow the server to authenticate the client. The use of client certificates has no bearing whatsoever on the prevention of man-in-the-middle attacks.
certificates if you are subject to privacy regulations.
The reason I was given is that server only authentication is vulnerable
to a 'man in the middle' attack vector.
HTH and good luck.
To prevent this kind of attack with a mainframe emulation, you need to make sure that your client (such as IBM PCOMM):
1. only recognizes trusted Certification Authorities (like Verisign or your own company CA) for server certificates.
2. has the option selected to verify the hostname. In this case, the cn= attribute in the subject's name in the server certificate must be identical to the hostname. Alternatively, the altName= attribute can be used in the certificate to specify the hostname.
IBM PCOMM does not accept self-signed server certificates. This is helpful in preventing MITM attacks.
--
Ulrich Boche
SVA GmbH, Germany
IBM Premier Business Partner
----------------------------------------------------------------------
For IBM-MAIN subscribe / signoff / archive access instructions,
send email to listserv@xxxxxxxxxxx with the message: GET IBM-MAIN INFO
Search the archives at http://bama.ua.edu/archives/ibm-main.html
.
- Follow-Ups:
- Re: Digital Certificate Implementation TN3270
- From: Hal Merritt
- Re: Digital Certificate Implementation TN3270
- Prev by Date: RACF education/books/papers...
- Next by Date: Re: LE question about COBOL compatibility
- Previous by thread: RACF education/books/papers...
- Next by thread: Re: Digital Certificate Implementation TN3270
- Index(es):
Relevant Pages
|
