| | >But is what they are doing wrong?
| | 
| | The users?  No, not really, in that given the extensive conditioning
| | they've been subject to, they're doing the logical thing, which is not
| | any attention to certificates.  That's why I've been taking the
| | somewhat radical) view that PKI in browsers is a lost cause - apart from
| | minute segment of hardcore geeks, neither users nor web site admins
| | understand it or care about it, and no amount of frantic turd polishing
| | save us any more because it's about ten years too late for that - this
| | approach has been about as effective as "Just say no" has for STD's and
| | That's why I've been advocating alternative measures like mutual
| | response authentication, it's definitely still got its problems but it's
| | nothing like the mess we're in at the moment.  PKI in browsers has had
| | years to start working and has failed completely, how many more years
are we
| | going to keep diligently polishing away before we start looking at
| | approaches?
| I agreed with your analysis when I read it - and then went on to my next
| message, also from you, which refers to your retrospective on the year and
| a pointer to an page at financialcryptography.  So ... I try to download
| page - using my trusty Netscape 3.01, which with tons of things turned off

| (Java, Javascript, background images, autoloading of images) remains my 
| work-a-day browser, giving decent performance on an old Sun box.
| Well, guess what:
|       Netscape and this server cannot communicate securely
|       because they have no common cryptographic algorithm(s).
| So ... we have the worst possible combination:  A system that doesn't
| which is forced on you even when you don't care about it (I can live with
| the possibility that someone will do a MITM attack on my attempt to read
| article).
| Sigh.
BTW, illustrating points made here, the cert is for
but your link was to www.financialcryptography.com.  So of course Firefox
generated a warning....
                                                        -- Jerry

The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]

Reply via email to