On Fri, Jun 27, 2003 at 12:56:24AM +1000, Mister Lee wrote: > Regarding the usefulness of SSLbar itself, its immediate purpose was > fingerprint display, as a (theoretically) easy means of checking a cert's > validity yourself, rather than relying on a third party signing. That list > of "officially sanctioned CAs" that comes with browsers just keeps getting > longer and longer. I don't know who the hell any of those organizations are, > or what their policies are... Anyway, SSLbar could be made much more useful > if I were to have it (somehow) cache fingerprints or certs, and a flag to > indicate whether the user has validated them. Implementing this requires > further investigation however, and I've just been pointed at this list and > it's archive, so I have some more reading to do :)
Maybe this is a stupid question, but exactly how are you supposed to use this information to verify a cert? I've done an informal survey of a few financial institutions whose sites use SSL, and the number of them that were able to provide me with a fingerprint over the phone was exactly zero. -- - Adam ----- Adam Fields, Managing Partner, [EMAIL PROTECTED] Surgam, Inc. is a technology consulting firm with strong background in delivering scalable and robust enterprise web and IT applications. http://www.adamfields.com --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]