On 11 Jun 2003 at 20:07, Steven M. Bellovin wrote:
> Let me point folk at http://www.securityfocus.com/news/5654 
> for a related issue.  To put it very briefly, *real*
> authentication is hard.

I don't think so.

Verisign's authentication is notoriously worthless and full of
holes, yet very few attacks have been based on getting
certificates issued to wrong party, or on stealing poorly
defended and readily accessible certificates, even though that
is quite easy to do.

One of the scams described in the paper you cite was the old
"www.e-go1d.com" scam, but done using paper, rather than the
internet -- the scammers registered a company name similar that
of a target  company owning a large block of IP addresses, and
printed letter head paper similar to that of the other company.

The problem was not that authentication was hard.  Passwords
would have sufficed.   Self signed public keys would have
worked even better.

         James A. Donald

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to