On Wed, Aug 25, 2021 at 5:20 PM Barry Scott <ba...@barrys-emacs.org> wrote: > > Only if this threat model matters to you or your organisation. > Personal its low down of the threats I watch out for. > > The on-line world and the real-world are the same here. > > If a business changes hands then do you trust the new owners? > > Nothing we do with PKI certificates will answer that question.
Fair enough; but a closer parallel would be walking up to a previously-familiar street vendor and seeing a different person there. Did the business change hands, or did some random dude hop over the counter and pretend to be a new owner? But you're right, it's not usually a particularly high risk threat. Still, it does further weaken the value of named SSL certificates and certificate authorities; there's not actually that much difference if the server just gave you a self-signed cert. In theory, the CA is supposed to protect you against someone doing a DNS hack and substituting a different server, in practice, anyone capable of doing a large-scale DNS hack is probably capable of getting a very legit-looking SSL cert for the name as well. ChrisA -- https://mail.python.org/mailman/listinfo/python-list
