Ian Grigg <[EMAIL PROTECTED]> writes: >> This is not a "new realization" -- this goes back a long way. > > OK, so maybe this part is the new realisation:
No, it isn't a new realization either, Ian. We all knew from nearly the start that the model we were using in browsers was wrong. I don't know anyone who defends it. Netscape threw SSL together in a hurry -- so much of a hurry that the first version of the protocol wasn't even any good -- and threw a bunch of certs right into the browser to bootstrap it, and no one has particularly liked the situation ever since. That doesn't mean that people are interested in throwing the baby out with the bathwater, either, as you have in suggesting that people should just send credit card numbers in the clear because passive interception is (you have claimed) not an issue. > Too many words? OK, here's the short version > of why phising occurs: > > "Browsers implement SSL+PKI and SSL+PKI is > secure so we don't need to worry about it." I am unaware of real security professionals who hold that opinion or ever held it, or even a variation on it. Perhaps there are a handful out there, but it isn't the majority. Again, you are telling people what they already know. -- Perry E. Metzger [EMAIL PROTECTED] --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]