On Wed, Oct 01, 2003 at 04:48:33PM +0100, Jill Ramonsky wrote: > > But I would like to ask you to clarify something about SSL which has > been bugging me. Allow me to present a scenario. Suppose: > (1) Alice runs a web server. > (2) Bob has a web client. > (3) Alice and Bob know each other personally, and see each other every day. > (4) Eve is the bad guy. She runs a Certificate Authority, which is > trusted by Bob's browser, but not by Bob. > Is it possible for Bob to instruct his browser to (a) refuse to trust > anything signed by Eve, and (b) to trust Alice's certificate (which she > handed to him personally)? (And if so, how?)
The list of trusted certs is part of the browser config, and can be altered. It would be hard to imagine a browser so badly written as to hard-code that list. Certainly Mozilla makes it easy (Manage Certs under Privacy & Security in Edit Preferences) and I've even added a self-signed server cert under IE with no trouble or inconvenience. (Yes it did ask whether to accept the site's cert.) -- Barney Wolff http://www.databus.com/bwresume.pdf I'm available by contract or FT, in the NYC metro area or via the 'Net. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]