At 02:24 PM 06/11/2003 -0700, David Honig wrote:
At 12:42 PM 6/11/03 -0600, Anne & Lynn Wheeler wrote:
>actually, if you had a properly secured DNS .... then you could trust DNS
>to distribute public keys bound to a domain name in the same way they
>distribute ip-addresses bound to a domain name.
...
Adding PKeys to Yellow Pages merely lets you get scammed *confidentially*.

Unfortunately, that doesn't help you against wetware attacks - the "paypa1.com" and "e-g0ld.com" web sites can have valid certs, and your browser is unlikely to notice that they're different from the certs at the sites "paypal.com" and "e-gold.com" because they've got different domain names. So it won't notice that the certs have changed, because they haven't, they're just the new certs for the new websites. And client-side certs won't help, because the bogus sites can happily accept them or ignore them.

An e-gold-specific or paypal-specific client can tell,
because it can remember that it's trying to see the real thing,
but the browser can't tell, except by bugging you about
"Hi, this is a new site that's giving us a new cert" placebo box.







---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to