Michael Helm wrote:
>
> > > > The attacker could also present a certficate from a fake CA with an
> > > > appropriate name -- say, "Netscape Security Services", or something that
> > > Right. In which case Netscape brings up a different dialog which
> > > says that the server certificate is signed by an unrecognized
> > > CA. Again, you can proceed, but it's not like it's automatic.
> >
> > It's clearly not automatic, but I suspect it would work....
>
> In many organizations which have attempted to do pki,
> it is often the case that a home-made certificate authority
> with a self-signed root CA certificate is created that issues
> in-house certificates for servers, clients, or whatever.
> But many of those orgs. have found distributing the root CA certificate
> very problematical, with the result that these acceptance dialogs
> alluded to above becomes routine to the user community. The first
> time this happens you probably look at what the many pop up windows
> are saying, puzzle over them, & even dial up the local help desk. The
> tenth time you just hold down the mouse button & whip thru it.
It's simply amazing how much disinformation there is floating around about this
stuff. If the organization attempting to do PKI isn't incompetent, they burn
their cert into the install package for the browser that they give to users,
eliminating this problem altogether.
Sorry if I'm starting to sound a bit strident. I know that Netscape's PKI
isn't anywhere within sight of perfect, but it's better than a lot of people
give it credit for.
--
What is appropriate for the master is not appropriate| Tom Weinstein
for the novice. You must understand Tao before | [EMAIL PROTECTED]
transcending structure. -- The Tao of Programming |
