-----BEGIN PGP SIGNED MESSAGE----- Hash: SHA1 dan_mit...@ymp.gov wrote: | What is to prevent someone from forging a root CA and then creating | intermediate certificates signed with SHA1, based on the forged root CA?
Nothing. Now his problem is to get the users to include it into their list of trusted certs. I'm inclined to say that if they do that, they get what they deserve, but on second thought that is a little bit harsh: Unfortunately users only understand SSL/TLS in the way that if the browser displays that little lock in front of the URL, they are save. Additionally they also seem to be trained to click on "accept" if some annoying window pops open when they want to visit a page. Often it seems they do not realize that they break the whole security if they do include a CA certificate they did not verify. Goetz - -- DMCA: The greed of the few outweighs the freedom of the many -----BEGIN PGP SIGNATURE----- Version: GnuPG v2.0.4-svn0 (GNU/Linux) Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org iD8DBQFJXoFv2iGqZUF3qPYRAg2uAJ0ddzlWLD8ItPglbt1J+ktVCOyBiwCfboyw rX2TiqnJLPw4hPwwOzygHis= =oaFw -----END PGP SIGNATURE----- ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
