On 10/16/2003 07:19 PM, David Honig wrote:
it would make sense for the original vendor website (eg Palm)
to have signed the MITM site's cert (palmorder.modusmedia.com),
not for Verisign to do so. Even better, for Mastercard to have signed
both Palm and palmorder.modusmedia.com as well. And
Ian Grigg [EMAIL PROTECTED]:
I agree. As a side note, I think it is probably
a good idea for TLS to deprecate ADH, simply
because self-signed certs are more or less
equivalent, and by unifying the protocol around
certificates, it reduces some amount of complexity
without major loss of
Tim Dierks [EMAIL PROTECTED]:
Ian Grigg [EMAIL PROTECTED]:
Steven M. Bellovin:
What's your threat model? Self-signed certs are no better than ADH
against MITM attacks.
I agree. As a side note, I think it is probably
a good idea for TLS to deprecate ADH, simply
because self-signed certs
http://news.com.com/2100-7348_3-5092697.html?tag=st_lh
Federal prosecutors asked a San Francisco appeals court this week to
reverse a computer-crime conviction that punished a California man for
notifying a company's customers of a flaw in the company's e-mail service.
Filed on Tuesday in San
On Fri, 2003-10-17 at 00:58, John S. Denker wrote:
Tangentially-related point about credentials:
In a previous thread the point was made that
anonymous or pseudonymous credentials can only
say positive things. That is, I cannot discredit
you by giving you a discredential. You'll just