In the January issue of Computer Security Journal, Carl Ellison and
Bruce
Schneier have article "Ten Risks of PKI: What You're not Being Told
about
Public Key Infrastructure"
It can be found at http://www.counterpane.com/pki-risks.html
It really addresses policy and process issues more than te
>
> If users accept certificates without some independent way of verifying
> the identity of the signer, then this obviates the entire point of
> certificates, which is to prevent active attack on the connection.
> The vast majority of the complexity of SSL is there to prevent
> active attack. B
"Leland V. Lammert" <[EMAIL PROTECTED]> writes:
> At 03:09 PM 6/12/00, you wrote:
> >Interesting... I don't quite understand what the preloaded root certs
> >have as extra value.
>
> The ONLY reason for e-commerce folks to sign up with a Root Cert CA
> (like Verisign or Thawte) is to prevent th
At 03:09 PM 6/12/00, you wrote:
>Interesting... I don't quite understand what the preloaded root certs
>have as extra value.
The ONLY reason for e-commerce folks to sign up with a Root Cert CA (like Verisign or
Thawte) is to prevent the nasty messages when a user initiates an SSL connection.
O
On Tue, 13 Jun 2000, Douglas [iso-8859-1] Wikström wrote:
> What you are saying is that I am free to buy stuff on the internet,
> sending the seller my creditcard number, and then tell the Bank it was
> not me. Given the following attack scenario I cant believe that is the
> case:
>
Yup. If yo
Hello!
> > 4. At the practical and everyday level, we can be pretty sure that the
> > certs delivered with Netscape and IE are OK. If we go to some fairly
> > well-traversed public site using one of these certs, some red flags will
> > go up when the you get signature mis-matches... That will t
On Mon, 12 Jun 2000, Yuji Shinozaki wrote:
> I think the problem is multi-leveled:
>
>
> 4. At the practical and everyday level, we can be pretty sure that the
> certs delivered with Netscape and IE are OK. If we go to some fairly
> well-traversed public site using one of these certs, some
Richard Levitte - VMS Whacker wrote:
>
>
> Oh, what a beautiful mixup I did there between server and client
> certs! Even got myself confused :-). However, the fact still
> remains, there's no trust path of value to me, the value of certer
> certs in themselves is more or less none, except to
On Mon, 12 Jun 2000, Richard Levitte - VMS Whacker wrote:
> Oh, what a beautiful mixup I did there between server and client
> certs! Even got myself confused :-). However, the fact still
> remains, there's no trust path of value to me, the value of certer
> certs in themselves is more or less
From: Bill Klein <[EMAIL PROTECTED]>
bill> Richard Levitte wrote:
bill> >Interesting... I don't quite understand what the preloaded root certs
bill> >have as extra value. I for one don't really know anyone at Verisign
bill> >or Thawte, and can therefore not give them more trust than anyone else
10 matches
Mail list logo
