At 02:24 PM 06/11/2003 -0700, David Honig wrote:
At 12:42 PM 6/11/03 -0600, Anne & Lynn Wheeler wrote:
>actually, if you had a properly secured DNS .... then you could trust DNS
>to distribute public keys bound to a domain name in the same way they
>distribute ip-addresses bound to a domain name.
...
Adding PKeys to Yellow Pages merely lets you get scammed *confidentially*.
Unfortunately, that doesn't help you against wetware attacks -
the "paypa1.com" and "e-g0ld.com" web sites can have valid certs,
and your browser is unlikely to notice that they're different
from the certs at the sites "paypal.com" and "e-gold.com"
because they've got different domain names.
So it won't notice that the certs have changed, because they haven't,
they're just the new certs for the new websites.
And client-side certs won't help, because the bogus sites
can happily accept them or ignore them.
An e-gold-specific or paypal-specific client can tell,
because it can remember that it's trying to see the real thing,
but the browser can't tell, except by bugging you about
"Hi, this is a new site that's giving us a new cert" placebo box.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
