The security model is already broken-by-design because there is only a single padlock icon in the UI of most browsers -- there is no way to differentiate the different types of things (not 'technical key usages', but 'what do I trust the entity I associate the key with for?') in the UI.
I'm currently researching the failure of the UI in Mozilla Firefox, since it's much more likely that I'll be able to get them to change their UI than I would Opera, Microsoft, or Apple. -Kyle H On Fri, Jan 2, 2009 at 1:04 PM, Goetz Babin-Ebell <go...@shomitefo.de> wrote: > -----BEGIN PGP SIGNED MESSAGE----- > Hash: SHA1 > > dan_mit...@ymp.gov wrote: > | What is to prevent someone from forging a root CA and then creating > | intermediate certificates signed with SHA1, based on the forged root CA? > > Nothing. > Now his problem is to get the users to include it into their list > of trusted certs. > > I'm inclined to say that if they do that, they get what they deserve, > but on second thought that is a little bit harsh: > > Unfortunately users only understand SSL/TLS in the way that if the > browser displays that little lock in front of the URL, they are save. > Additionally they also seem to be trained to click on "accept" > if some annoying window pops open when they want to visit a page. > > Often it seems they do not realize that they break the whole security > if they do include a CA certificate they did not verify. > > > Goetz > > - -- > DMCA: The greed of the few outweighs the freedom of the many > -----BEGIN PGP SIGNATURE----- > Version: GnuPG v2.0.4-svn0 (GNU/Linux) > Comment: Using GnuPG with Mozilla - http://enigmail.mozdev.org > > iD8DBQFJXoFv2iGqZUF3qPYRAg2uAJ0ddzlWLD8ItPglbt1J+ktVCOyBiwCfboyw > rX2TiqnJLPw4hPwwOzygHis= > =oaFw > -----END PGP SIGNATURE----- > ______________________________________________________________________ > OpenSSL Project http://www.openssl.org > User Support Mailing List openssl-users@openssl.org > Automated List Manager majord...@openssl.org > ______________________________________________________________________ OpenSSL Project http://www.openssl.org User Support Mailing List openssl-users@openssl.org Automated List Manager majord...@openssl.org
