To: and From: headers leak the emails/identity of communicating parties,
but it's not the only place that happens. I've never used PGP but I've used
SMIME, so I'll refer to SMIME here (that may also apply to PGP anyway). In
SMIME, the keyWrap (which contains the AES key encrypted under each
recipie
given the images seen on the links, both certs are signed by the same
entity (i cannot see the pubKey ID but issuer names match), yet have the
same serial number 3014267. Isn't the (serial number + issuer pub key
identifier) supposed to be unique and identify a cert uniquely?
is it common practice
in CT, how do you tell if a newly-generated cert is legitimate or not?
Say, I am a state-sponsored attacker and can get a cert signed by my
national CA for barclays. How do you tell this cert is not legitimate? It
could have been barclays' IT admin who asked for a new cert.
Do companies need to lia