Re: Root certificates in server certificate chains

On 08/31/2010 07:09 PM, Matt McCutchen wrote:
> The following is my understanding.  Others should feel free to disagree
> or correct me.
>
> On Tue, 2010-08-31 at 22:30 +0000, 1.41421 <at> gmail.com wrote:
>> The standard (RFC 5246, sec. 7.4.2) says that a server certificate
>> chain may include, as the last entry in this chain, the root
>> certificate that is to be considered the ultimate trust anchor as far
>> the server certificate is concerned. What would prevent an attacker
>> from inserting a Certificate message of its own during the handshake,
>> containing a totally bogus root certificate?
>
> Like any other tampering with the handshake, this would cause the
> Finished check to fail.

Not if the attacker is successful in getting the client to accept his 
proposed root certificate.

>> Actually, doesn't this render the whole idea of authentication of the
>> remote useless?

Sure, if the client is willing to accept it.

>> How can one make sure that a root certificate received
>> in a certificate chain is genuine?

Perhaps the client already trusts that root cert or key? If so, why even 
bother to send it?

>> But, in this case, why allow the server to include a root certificate
>> in the certificate chain in the first place?
>
> Perhaps as a hint to clients that might decide they wish to add that
> certificate as a trust anchor, possibly after further research?

To make it easier for users to "Permanently store this exception"?  :-P

- Marsh