The key threat is that an attacker is able to present a cert signed (possibly indirectly) by the CA's private key and containing a fraudulent value in a field that the user of the browser relies on. Which fields those are is debatable, but the key fields are definitely the server DNS name and S/MIME email address.
And presumably the developer/distributor/endorser name in the case of signed code.
Frank
-- Frank Hecker hecker.org _______________________________________________ mozilla-crypto mailing list [EMAIL PROTECTED] http://mail.mozilla.org/listinfo/mozilla-crypto
