Academic Integrity: tutoring, explanations, and feedback — we don’t complete graded work or submit on a student’s behalf.

I have been looking at the SSL Certificate Trust Model, and there is something t

ID: 658298 • Letter: I

Question

I have been looking at the SSL Certificate Trust Model, and there is something that does not make sense. If I am correct, the trust model makes it that if there is a chain of certificates with a trusted root certificate at the top of the chain, all certificates in this chain will be trusted. This does not make sense because then I could create a valid certificate for google.com with my own key pair. I would do this by taking the certificate chain of google.com, lets say Verisign, then google.com. I would leave the root certificate as it is, but modify the key pair in the google.com certificate. This certificate chain would be trusted because the root certificate is trusted, therefore all other certificates are trusted. This would allow you to create a man in the middle attack.

Explanation / Answer

SSL certificates have an extension field that defines what a certificate is allowed to be used for.

When you buy a certificate from VeriSign with your certificate signing request, it typically will not include the extension permission for signing downstream certificates with your certificate; especially for any domain you don't have authority for.

Take google.com for instance (root to leaf node):

1. Equifax Secure CA - Root CA (hence implicit downstream signing authority)
2. GeoTrust Global CA - Has Certificate Signer property
3. Google Internet Authority G2 - Has Certificate Signer property but can only sign leaf nodes
4. *.google.com - Wildcard domain certificate with no authority to sign other certificates.

The browser checks validity from the root to the leaf. Any authority claimed by a leaf or intermediate certificate is assumed to have been authorised by the certificate that signed it; eventually culminating in the trust given to and from the Root Certification Authority.

Related Questions

I have been asking the same question for 4 days now and still no good responses.
Question #652324
I have been asking thisproblem several times... could somebody at least give me
Question #3617353
I have been assigned a fun project: design and implement a program that maintain
Question #652149
I have been assigned a variation of the infamous ATM C++ program and am having t
Question #3596993
I have been assigned the task of improving security of a specific service. After
Question #655945
I have been assigned to a project where the end-product is a website as a music
Question #652381
I have been assigned to find indicators of development in acountry I have found
Question #1242386
I have been at this for hours please help. This is what I have. <!doctype html>
Question #3542449
Hire Me For All Your Tutoring Needs
Integrity-first tutoring: clear explanations, guidance, and feedback.
Drop an Email at
drjack9650@gmail.com
Chat Now And Get Quote

Navigate

Previous
I have been involved in a number of MVC.NET and c# desktop projects in our compa
Next
I have been looking for Time Series models over in SO, but I figured this place

Integrity-first tutoring: explanations and feedback only — we do not complete graded work. Learn more.