On Wed, Oct 01, 2003 at 04:48:33PM +0100, Jill Ramonsky wrote:
> But I would like to ask you to clarify something about SSL which has 
> been bugging me. Allow me to present a scenario. Suppose:
> (1) Alice runs a web server.
> (2) Bob has a web client.
> (3) Alice and Bob know each other personally, and see each other every day.
> (4) Eve is the bad guy. She runs a Certificate Authority, which is 
> trusted by Bob's browser, but not by Bob.
> Is it possible for Bob to instruct his browser to (a) refuse to trust 
> anything signed by Eve, and (b) to trust Alice's certificate (which she 
> handed to him personally)? (And if so, how?)

The list of trusted certs is part of the browser config, and can be
altered.  It would be hard to imagine a browser so badly written as
to hard-code that list.  Certainly Mozilla makes it easy (Manage Certs
under Privacy & Security in Edit Preferences) and I've even added
a self-signed server cert under IE with no trouble or inconvenience.
(Yes it did ask whether to accept the site's cert.)

Barney Wolff         http://www.databus.com/bwresume.pdf
I'm available by contract or FT, in the NYC metro area or via the 'Net.

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to