"Steven M. Bellovin" wrote:
>
> It's clearly not automatic, but I suspect it would work....
>
User behaviour is the weak point here--while the browsers WILL notify
you that the cert is signed by a CA you don't recognize, they also
give you the option of accepting the cert, which most users will just
blindly accept. Netscape gives you a couple of options here--accept
the site cert for this session only, or accept it forever; I expect lots
of users will choose "forever", since that's simpler.
--
----------------------------------------------------------------------
Marcus Leech Mail: Dept 8M70, MS 012, FITZ
Systems Security Architect Phone: (ESN) 393-9145 +1 613 763 9145
Security and Internet Solutions Fax: (ESN) 395-1407 +1 613 765 1407
Nortel Networks [EMAIL PROTECTED]
-----------------Expressed opinions are my own, not my employer's------