Arshad Noor wrote: > They would know the CA that issued the particular client certificate and > include it in it's Request/Not require client auth message. > Actually funny that I never thought myself about such an option. But a competing CA could harvest the email addresses, which are usually present in client certs, of the competition and spam them for their services...good thought ;-)
-- Regards Signer: Eddy Nigg, StartCom Ltd. <http://www.startcom.org> Jabber: [EMAIL PROTECTED] <xmpp:[EMAIL PROTECTED]> Blog: Join the Revolution! <http://blog.startcom.org> Phone: +1.213.341.0390 _______________________________________________ dev-security mailing list dev-security@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-security
