On Fri, Jun 27, 2003 at 12:56:24AM +1000, Mister Lee wrote:
> Regarding the usefulness of SSLbar itself, its immediate purpose was 
> fingerprint display, as a (theoretically) easy means of checking a cert's 
> validity yourself, rather than relying on a third party signing.  That list 
> of "officially sanctioned CAs" that comes with browsers just keeps getting 
> longer and longer.  I don't know who the hell any of those organizations are, 
> or what their policies are...  Anyway, SSLbar could be made much more useful 
> if I were to have it (somehow) cache fingerprints or certs, and a flag to 
> indicate whether the user has validated them.  Implementing this requires 
> further investigation however, and I've just been pointed at this list and 
> it's archive, so I have some more reading to do :)

Maybe this is a stupid question, but exactly how are you supposed to
use this information to verify a cert? I've done an informal survey of
a few financial institutions whose sites use SSL, and the number of
them that were able to provide me with a fingerprint over the phone
was exactly zero.

                                - Adam

Adam Fields, Managing Partner, [EMAIL PROTECTED]
Surgam, Inc. is a technology consulting firm with strong background in
delivering scalable and robust enterprise web and IT applications.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to