> > > The attacker could also present a certficate from a fake CA with an
> > > appropriate name -- say, "Netscape Security Services", or something that
> > Right. In which case Netscape brings up a different dialog which
> > says that the server certificate is signed by an unrecognized
> > CA. Again, you can proceed, but it's not like it's automatic.
>
> It's clearly not automatic, but I suspect it would work....
In many organizations which have attempted to do pki,
it is often the case that a home-made certificate authority
with a self-signed root CA certificate is created that issues
in-house certificates for servers, clients, or whatever.
But many of those orgs. have found distributing the root CA certificate
very problematical, with the result that these acceptance dialogs
alluded to above becomes routine to the user community. The first
time this happens you probably look at what the many pop up windows
are saying, puzzle over them, & even dial up the local help desk. The
tenth time you just hold down the mouse button & whip thru it.
