> Of course, this will just make the browsers pop up dialog boxes which
> everyone will click OK on...
> 

And brings us to an even more interesting question, since everything is 
trusting their in-browser root CAs and such. How trustable is the auto-update 
process? If one does provoke
a mass-revocation of certificates and everyone needs to update their 
browsers... how do the
auto-update daemons *know* that what they are getting is the real deal? 

[I haven't looked into this, just bringing it up. I'm almost certain its less 
secure than the joke that is SSL certification].

Happy New Year!

Deepak

Reply via email to