Ben Laurie wrote:
Ed Gerck wrote:
Ben Laurie wrote:
But doesn't that prove the point? The trust that you consequently
place in the web server because of the certificate _cannot_ be copied
to another webserver. That other webserver has to go out and buy its
own copy, with its own domain name it it.
A copy is something identical. So, in fact you can copy that server
cert to another server that has the same domain (load balancing), and
it will work. Web admins do it all the time. The user will not notice
any difference in how the SSL will work.
Obviously. Clearly I am talking about a server in a different domain.
Up until recently, you could buy a cert for one domain, use *it* to
issue a cert for another domain, and the major web browsers wouldn't
kick at the traces provided you sent both certs in the ssl handshake.
Thankfully, they fixed that before *too* many phishers figured it out.
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to [EMAIL PROTECTED]
