On Dec 26, 2008, at 2:39 AM, Peter Gutmann wrote:
d...@geer.org writes:
I'm hoping this is just a single instance but it makes you remember
that the
browser pre-trusted certificate authorities really needs to be
cleaned up.
Given the more or less complete failure of commercial PKI for both
SSL web
browsing and code-signing (as evidenced by the multibillion-dollar
cybercrime
industry freely doing all the things that SSL certs and code-signing
were
supposed to prevent them from doing), it's not so much "cleaned up" as
"replaced with something that may actually work"....
I just had an interesting experience with a different sort of
failure: I tried to buy a DVD from The Teaching Company (www.teach12.com
). When I went to check out - or even if when I connect to the top
level at https://www.teach12.com - I get a complaint that their cert
is signed by a unknown authority. It turns out that they recently
put an EV certificate in place. It's issued by "VeriSign Class 3
Extended Validation SSL SGC CA" - which neither Safari 3.2.1 nor
Firefox 3.0.5 on my Mac have ever heard of!
I got in touch with the company and actually received intelligent
responses both at their 800 number - I placed my order that way - and
in a response from their customer service people. Most remarkable -
almost all organizations ignore such communication. It's ironic that
those who appear to be trying the hardest are being screwed over by
the system that's currently in place - and will inadvertently be
involved in training users to simply bypass yet another kind of bad
cert warning.
(I can highly recommend the courses that The Teaching Company
distributes, by the way. I usually borrow them from the library, but
I've bought a few of the best here and there - especially when they
have sales, as they do right now.)
-- Jerry
---------------------------------------------------------------------
The Cryptography Mailing List
Unsubscribe by sending "unsubscribe cryptography" to majord...@metzdowd.com