On Wed, 1 Dec 2004, Anne & Lynn Wheeler wrote:
> the other attack is on the certification authorities business process Note that in a fair number of Certificate issuing processes common in industry the CA (sysadmin) generates both the private key -and- certificate, signs it and then exports both to the user their PC (usually as part of a VPN or Single Sing on setup). I've seen situations more than once where the 'CA' keeps a copy of both on file. Generally to ensure that after the termination of an employeee or the loss of a laptop things 'can be set right' again. Suffice to say that this makes evesdropping even easier. Dw --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]