On Mon, Aug 11, 2008 at 02:50:55AM -0700, David Schwartz wrote: > > Ted T'so wrote: > > > At this point, you've just spent reams and reams of electrons stating > > the obvious. > > Yes, for the second time, because some people *still* don't understand it. > (It's quite obvious to you and me, not so obvious to the people who still > don't get it.)
David, I think you have a problem of not making clear what you actually mean. I'm going to give 3 examples of how I could read what you were saying so far: 1. A client connects to a server, but the server has been compromised and someone knows it's secret key. The client properly checks that the key is valid. 2. A client connects to a server, but the client has been compromised and now accepts any or certain keys it's been offered. The client software is/was written to do proper checking. 3. A client connects to a server, but it accepts the public key the server or attacker returns because it doesn't do proper checking. I now think that people understand that you meant one of the first 2 cases but actually meant the 3rd. And if you actually meant the 3rd, that's not what I was reading in the other mails. Kurt ______________________________________________________________________ OpenSSL Project http://www.openssl.org Development Mailing List openssl-dev@openssl.org Automated List Manager [EMAIL PROTECTED]
