Florian Weimer wrote: > Even if you've got the certificate, you need to attack IP routing or > DNS. If you can do that, chances are that you can mount this attack > against one of the domain-validating RAs, and still receive a > certificate. So the browser PKI is currently irrelevant for practical > purposes (beyond CA revenues and giving users a warm, fuzzy feeling), > even if everybody follows established RA procedures.
Oh Florian, come on! You know the MITM techniques within a LAN very well. So I take your comment simply as a provocation saying that maintaining a cert store with pre-trusted root CA certs are not worth the effort at all. But that's also not entirely true. Ciao, Michael. _______________________________________________ dev-tech-crypto mailing list dev-tech-crypto@lists.mozilla.org https://lists.mozilla.org/listinfo/dev-tech-crypto