Thierry Moreau <[EMAIL PROTECTED]> writes: >At first, it seems neat. But then, looking at how it works in practice: the >client receives an e-mail notification soliciting him to click on a HTML link >and then enroll for a security certificate, the client is solicited exactly >like a phishing criminal would do,
Correction, "exactly like phishing criminals are actively doing right now" (hat tip to Don Jackson of SecureWorks who's investigated and documented this practice). Given the almost complete failure of client certs in the marketplace, I found it most amusing that the current active users of "client certs" are phishers. It reminded me of spammers and SPF. > Title: Sender driven certification enrollment system > Document Type and Number: United States Patent 6651166 > Link to this page: http://www.freepatentsonline.com/6651166.html > > Filing Date: 04/09/1998 > Publication Date: 11/18/2003 Thus postdating Microsoft's CertEnroll/Certenr3/Xenroll ActiveX control by several years. The only difference here is that the user generates the cert directly rather than involving a CA. Peter. --------------------------------------------------------------------- The Cryptography Mailing List Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]