Frank Hecker wrote:
Gervase Markham wrote:
...and there's a white paper which goes into more depth.
http://geotrust.com/resources/white_papers/pdfs/SSLVulnerabilityWPcds.pdf
Hey Ian, they read your blog :-) See the footnote to page 11 (page 13
in the PDF).
Indeed, I just got to that part myself!
Note that the Geotrust paper basically contradicts the thrust of the
TechWorld article Ian previously referenced ("SSL 'security' aiding
online fraud"). The story is promoting the position that
domain-validated SSL certs are bad, and hence only identity-validated
certs should be used, while the Geotrust paper is promoting the idea
that non-domain identity info in certs is inherently unreliable and that
using domain-validated certs can be a perfectly reasonable decision.
Yes I saw that. I guess this total contradiction in
reporting from well presented arguments should tell
us how difficult it is.
I had to read with breath a-bated all the way to the end
to see what their solution was, and it was ... not so
shocking :)
It's interesting to see discussion heating up around the topic of CAs
and their roles, and of course this is all useful background for future
decisions we might make regarding browser UI.
Yes Sir! The more browser manufacturers do to change
the model, the more cages get rattled. And the more
cages get rattled, the more people will wake up and
see the monster. It's all to the good, we need things
like Opera's attempt to get minds focused. I did read
somewhere that Microsoft were going to release a beta
in May or somesuch, which will set the gorilla's cage
shaking.
iang
--
News and views on what matters in finance+crypto:
http://financialcryptography.com/
_______________________________________________
Mozilla-security mailing list
[email protected]
http://mail.mozilla.org/listinfo/mozilla-security
