On 01/23/2012 03:24 PM, Mark H. Wood wrote: > On Sat, Jan 21, 2012 at 01:49:20PM -0800, Ken Hagler wrote: > > (...) > > I guess that the lesson is: don't assume. Find out for yourself > whether a CA is worthy of your trust, before trusting.
Well, that could be a big challenge. In addition consider those: http://petsymposium.org/2010/papers/hotpets10-Soghoian.pdf http://googleonlinesecurity.blogspot.com/2011/08/update-on-attempted-man-in-middle.html https://bugzilla.mozilla.org/show_bug.cgi?id=682956 http://www.f-secure.com/weblog/archives/00002128.html https://blog.torproject.org/blog/diginotar-damage-disclosure http://www.links.org/?p=1196 ... And many, many more examples. There were discussions about x509 and CA's credibility or ability to perform their tasks. Not much to add here I think. -- Regards, Milo _______________________________________________ Gnupg-users mailing list Gnupg-users@gnupg.org http://lists.gnupg.org/mailman/listinfo/gnupg-users
