Spoofing a certificate
I seem to vaguely recall a paper I saw once about certificate spoofing. I want to reference it now in a paper I'm writing, but can't seem to find any reference to it. Perhaps someone knows what I'm talking about.
The paper was about creating a spoofed certificate so that it appears identical to a legitimate one. Obviously, the public key and the CA's signature couldn't be identical, but the textual fields that people would tend to look at certainly could. The main focus of this paper was trying to get the thumbprint just right. Obviously, it would be very difficult to get it exactly right, but that isn't really necessary. When checking thumbprints, no one really looks past the first few bytes. If they match, there's no reason to look much deeper.
Anyone have any ideas if this is even possible. Any references to doing something like this?
